Rule Title Rule Author Ruleset Name ID #Files #Undetected Files
Wow6432Node CurrentVersion Autorun Keys Modification Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) Sigma Integrated Rule Set (GitHub) 18842e32896dd83b8aca4d5e1ac78c1f66b1d252479c0023cdd02f108c42c8cd 6047276 39629
Creation of an Executable by an Executable frack113 Sigma Integrated Rule Set (GitHub) b5386a23355681c43cfbd2f2ccfe4b16ed45324d0d7b5583487a9f302ee1e427 4911581 654511
CurrentVersion Autorun Keys Modification Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) Sigma Integrated Rule Set (GitHub) 8b5db9da5732dc549b0e8b56fe5933d7c95ed760f3ac20568ab95347ef8c5bcc 4157997 70747
Potential Persistence Via COM Search Order Hijacking Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien Sigma Integrated Rule Set (GitHub) 7f5d257abc981b5eddb52d4a9a02fb66201226935cf3d39177c8a81c3a3e8dd4 2233352 172085
CurrentVersion NT Autorun Keys Modification Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) Sigma Integrated Rule Set (GitHub) d706314122bff93e0dbdf079f1d1904d2f00407f34a893487d70105b1dc5b9ed 2088841 5896
Wow6432Node Windows NT CurrentVersion Autorun Keys Modification Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) Sigma Integrated Rule Set (GitHub) 3e5fe19fbbb767b861e93022c3f95d25e1618fc86be75b05326ee57b2f75633c 1833504 260569
Scheduled TaskCache Change by Uncommon Program Syed Hasan (@syedhasan009) Sigma Integrated Rule Set (GitHub) d62173552d7fce98c24a7040b784edf35cc6650d2e68ecf2d04f40c58d58cfda 1816893 30331
Hidden Executable In NTFS Alternate Data Stream Florian Roth (Nextron Systems), @0xrawsec Sigma Integrated Rule Set (GitHub) 5be9da0a90b142239a3ff2819edf2283938855da3b4c80d63d8e6db63c2c4fe7 1539490 87237
Failed Code Integrity Checks Thomas Patzke Sigma Integrated Rule Set (GitHub) 134564d292d785dff102940b8a1ee06dba2d462c5fb852124b3771a49d7885f1 1484110 648889
System File Execution Location Anomaly Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) 25fc56c1bee673d7ff3edcf371e4d2a36c0af83222da348961b87735c8efa61f 1387003 128599
New DLL Added to AppInit_DLLs Registry Key Ilyas Ochkov, oscd.community, Tim Shelton Sigma Integrated Rule Set (GitHub) 6f134f381913ef9221138f615280ca41e252e823168d7d580ab6e713e10beca2 1219061 63
DMP/HDMP File Creation Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 67ee86b34b3617ea45dec0ef09b7a71a5f44f5c010ccc9139d92f49685996f49 1102440 198850
Change PowerShell Policies to an Insecure Level frack113 Sigma Integrated Rule Set (GitHub) 06b48fa7870d38bdf92b4d4a9b9c4a4df779bd405fdc5ba0e70911df20027ce1 968286 478736
Files With System Process Name In Unsuspected Locations Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) e13498937de9343f50c1e8f315ce602aa238e37e21f3dbb15d3403c25afafe3e 920169 5126
Modification of IE Registry Settings frack113 Sigma Integrated Rule Set (GitHub) 7ca43f2acf2c039e776af286dca2b5216d23967e6e8fe43dd5a5cc95f86e52e5 735679 24972
Password Protected Compressed File Extraction Via 7Zip Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 22e867c244280c1d01bcddc8355c10d82b6c69577cd784cefbbe4eb5e7a82f65 644341 256661
Suspicious Outbound SMTP Connections frack113 Sigma Integrated Rule Set (GitHub) 3659f9925f327ac0ba2be9b3c8c7240f432c4b62f162b846c10410fff320b6f7 629544 420
Suspicious New Instance Of An Office COM Object Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) ffbbcedfb9a1fd41ebb288154c10cf5cf869eb25195708be30f8a9df74f411cc 581044 469574
Execution from Suspicious Folder Florian Roth (Nextron Systems), Tim Shelton Sigma Integrated Rule Set (GitHub) f8d48ec1128b00975e61e06393f6bb04a1d033a94c556d213b3bcb78a80589d8 554095 21556
Common Autorun Keys Modification Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name) Sigma Integrated Rule Set (GitHub) aa1c4ee10caaa9d521b34246c51e0c22c8af0a4b7fdb1cdd9faf1182ef6dd14c 533031 1154
Windows Processes Suspicious Parent Directory vburov Sigma Integrated Rule Set (GitHub) afd546ea5eff265c454f77f6e7641ade6e5a791d79de155fa27d377be1581535 496516 1213
CMD Shell Output Redirect frack113 Sigma Integrated Rule Set (GitHub) e77646c39db7fa011a5223aeb73c738046787fc7f62a99394e883d76a54341f7 477150 17799
Change PowerShell Policies to an Insecure Level - PowerShell frack113 Sigma Integrated Rule Set (GitHub) 5572c8188426269a10ccb41fc8e9c8445391ac38a0917621b0a1ee05ec99aac9 453579 167529
Suspicious Get-WmiObject frack113 Sigma Integrated Rule Set (GitHub) 1f7f8b1e9005dd4d64cb9d30ed53ee94f68fb96262fbd72f7a0266881149c79f 452853 164899
Process Creation Using Sysnative Folder Max Altgelt (Nextron Systems) Sigma Integrated Rule Set (GitHub) 1dfbc92aba26dc597751f9cf42ff3eac446b827525d1a38ea6fb4141c9f9af01 443231 168753
Potential Defense Evasion Via Binary Rename Matthew Green @mgreen27, Ecco, James Pemberton @4A616D6573, oscd.community, Andreas Hunkeler (@Karneades) Sigma Integrated Rule Set (GitHub) 686a5b6d5e098e507256a7207e9e4a237bb378c824f67f13ee0402525833b257 414442 50291
Use Remove-Item to Delete File frack113 Sigma Integrated Rule Set (GitHub) d9b2eb00753c3049fbb4ed4f7d88f29b65a0c50bec45ff4723b95bb637f8f83d 391305 173322
Startup Folder File Write Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) Sigma Integrated Rule Set (GitHub) 56b8c79acb8e444c2b00be5c9d3cb8e33e863ccb3506d635f907a49cd053c84f 379373 7430
Use NTFS Short Name in Command Line frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) c0bf6ba71da9d0f13368b0f1281354c8f9b3d491845ea5902282fece277ec655 377307 10701
Rundll32 Internet Connection Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 4725cdcf2dfdd90c3aa0d331fae77d6ac8021c254701744a01444af04e9a0e69 369191 48646
Python Initiated Connection frack113 Sigma Integrated Rule Set (GitHub) e4d5f1be0673fa786cc8379c15338af08cdd11eed433bead9e801d6204d42a2d 361431 91606
Registry Modification to Hidden File Extension frack113 Sigma Integrated Rule Set (GitHub) e6d175111f1e8dfecb77e2bbe404bdaad31873a97477136b427187abb5d09a89 357703 305
User with Privileges Logon frack113 Sigma Integrated Rule Set (GitHub) 8919a871f4a52b7af785fab44b4665ab6a3637e6ebeeac0288df8a5012a48be2 356597 168112
New RUN Key Pointing to Suspicious Folder Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing Sigma Integrated Rule Set (GitHub) 27b72c2678411f21ba21bd10b44b7e9c45594d5a5f61f14223b81a8906675039 339004 16812
Suspicious DNS Query for IP Lookup Service APIs Brandon George (blog post), Thomas Patzke Sigma Integrated Rule Set (GitHub) 3a2766a08d32a855b604a786cddc0f76fee13e6ccd22e01d4878150f0ef1eebc 335453 19943
Non Interactive PowerShell Process Spawned Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements) Sigma Integrated Rule Set (GitHub) 1c2e4db94ca79f939e94e29c04fb3b71467fc6f5b9c31db34fcce5a2fb3b856f 328077 39903
Execution of Suspicious File Type Extension Max Altgelt (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2104d1ee1ce64e7aa3dbd368652a54ce160e6a5751019af14601fc8fd1df8086 326067 26612
Service Binary in Suspicious Folder Florian Roth (Nextron Systems), frack113 Sigma Integrated Rule Set (GitHub) 71686ca6fd31ecd29454e2d39e38be5c971f96ad539e461b7d1d79b85f90182a 317922 6868
Uncommon Svchost Parent Process Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) a0daa529834b3c5230b4524da005a6b6503e7cb061e298a8f74e0dc1fee0a008 305874 1209
Run Once Task Configuration in Registry Avneet Singh @v3t0_, oscd.community Sigma Integrated Rule Set (GitHub) 0e31671617efd7f7d79bdc60259af085a8ceadd59619e28e3f3d57d90ed1501d 284342 217
Monero Crypto Coin Mining Pool Lookup Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 0752dd4f3de82ada650a6c6ed1887cc940d8f55e130fec468ce0df9b2ec4ef25 272134 38
UAC Disabled frack113 Sigma Integrated Rule Set (GitHub) 80708cad12d59acde6c91bdfbb0ed867ffd0538e97f962f2ffd72040a66ecb6b 263915 751
Suspicious File Created In PerfLogs Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a689c467d9cf931ad8d7fcb39456815daf9e5fb748bad72f1269eb6a8d64c5a0 256373 23
Network Communication With Crypto Mining Pool Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 5f96c8ad390b56fba16309ec092ccde0290c7896bd2bfd7c49b738c77dc36bde 254339 25
Use Short Name Path in Command Line frack113, Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) 3c0434c2b9b483a1c7879404c2a80556dc54436bf222a970ca7131b1f30079f1 254143 28614
Renamed Office Binary Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) bb031bd9cea5bfc07d877d0deeef37ed046229fe8cb82202aefe3220d14c8626 252210 3110
Suspicious Screensaver Binary File Creation frack113 Sigma Integrated Rule Set (GitHub) ad081ff821748a3cd86b5954ef5c3d7d2a6602fe0b6e50ed47938b98bc184122 247076 4753
Suspect Svchost Activity David Burkett, @signalblur Sigma Integrated Rule Set (GitHub) dc04e64e69f5446c2a31920ee22415626307d5f3d0fb73ad81b9d3301a41000a 245282 363
Displaying Hidden Files Feature Disabled frack113 Sigma Integrated Rule Set (GitHub) a264eb1ecc5d771f6348e8cadd3e5508323440b132da9cd70e3c579354eb50b2 244404 238
Vulnerable Driver Load Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) efe6f377eb5896688f0baa7d44db4fc8d0639fa43f0d3dbb262bde8a7eb7b453 244346 924
Vulnerable WinRing0 Driver Load Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 6e6298fff951b11ea6aa772fe7d022e50af3068aa7254be68850f49e45e0ed13 241061 190
Suspicious Microsoft Office Child Process Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io Sigma Integrated Rule Set (GitHub) 6a6edfdea6536f74ea66bf73682ed52f4b86435793ed76ff38e3ab0523f029f5 236479 506
Driver Load From A Temporary Directory Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 539dcb36e9155d97ed39c68182bde1733b86e2785cbef70586ce6a771645c425 235991 1021
Scheduled Task Creation Via Schtasks.EXE Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 3bc9d14114a6b67367a24df21134d0564d6f08a0ad903d68f9b25e9d8b7f0790 228770 8593
Service Binary in Uncommon Folder Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) a55e06a3fb02c5ab9e6338bc2b61d50ebaa7e4236c27862400b7633243f477be 224400 8674
Powershell Defender Exclusion Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 7e416af5a1bb67fdbd2f30ae3f5da7f74583460b36546527c909c354fb5dcd00 223730 2561
Stop Windows Service Via Sc.EXE Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) dd1cc05e1a1d9416b75088f7ba5586374900fc625479abf320585293e9e21639 218408 3539
Communication To Uncommon Destination Ports Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 0cbddc72cfb3b9426508057fbe3e7b0ed88990983f04ad15f9685e585ce7ae66 217965 1952
Rundll32 Execution With Uncommon DLL Extension Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou Sigma Integrated Rule Set (GitHub) e7856bac967038b016efab8e4f315a2f16ccd6ba62f20d73df0ad3826fe654a3 212794 24342
Suspicious Schtasks From Env Var Folder Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 0533322c5c44794b71e761cd351a2459aad6e21ae95c9543d4c9fdb3c8fde6c4 208795 1930
Potential Persistence Via COM Hijacking From Suspicious Locations Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) c64a541b46d176ef960f347f5e86ee15927eb668f86a5f9f6260bbc94b1d2f3a 207029 126694
Suspicious Network Connection to IP Lookup Service APIs Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 7b06f86400ae084ca05c7e2cefe70b8ea4910b6196d969ae516b9d5d1c99bfe5 206890 20716
Suspicious Non-Browser Network Communication With Google API Gavin Knapp Sigma Integrated Rule Set (GitHub) 6094a7d0c599a4dfac3b49ed5776afacc4a66b1a643b8aa31dce51c8f32f8704 205757 146673
Audit Policy Tampering Via Auditpol Janantha Marasinghe (https://github.com/blueteam0ps) Sigma Integrated Rule Set (GitHub) 33a4a18ae1a3802586c239be79075294541594b5b603c230af39618577e03fae 201495 32654
Disable Microsoft Defender Firewall via Registry frack113 Sigma Integrated Rule Set (GitHub) 4d91cff1255532aacd25d7b82261d545afc7d30837d1643a0dd2c4617aec5865 201190 47129
Process Start From Suspicious Folder frack113 Sigma Integrated Rule Set (GitHub) 539d657ea3dfb52773cd8616d93fd64ba9112091984d1c3eb044c6e5dadd2c5c 200163 58073
Suspicious Process Start Locations juju4, Jonhnathan Ribeiro, oscd.community Sigma Integrated Rule Set (GitHub) 7776601555567f764fc3e22722bef1fdde521b5bdff9fff38f9031e9a3f7ce54 188487 120
File Deletion Via Del frack113 Sigma Integrated Rule Set (GitHub) 77ed185ff979a8d9206b5eed07bf6d5823529f713ed0ea19f2ef7a4a355568bc 185831 3967
Scheduled Task Created - FileCreation Center for Threat Informed Defense (CTID) Summiting the Pyramid Team Sigma Integrated Rule Set (GitHub) 3418c5891b9d0a4ec974985072278b35b0a0f0254118d766d07553a547284b87 174884 7541
SCR File Write Event Christopher Peacock @securepeacock, SCYTHE @scythe_io Sigma Integrated Rule Set (GitHub) 7a463b569de43655b8e8cf5b970001d720c38abf81bce54ba71ad19765b096e7 171677 4122
Bad Opsec Defaults Sacrificial Processes With Improper Arguments Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems) Sigma Integrated Rule Set (GitHub) 53f67594c85a67cef198b525b556658fa4e46d1e49901472adbc8b7f0ba475a8 165919 5598
Office Macro File Creation Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 27801b0f98df1ce7686b07b693c59e734c47189ef3db24ea1093f6f00ff2ed67 162590 86191
Classes Autorun Keys Modification Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) Sigma Integrated Rule Set (GitHub) acb1ec4240103205f334c8fe26431568a458950f7b86b59652440e1de4dc0449 161796 5446
Potential Persistence Attempt Via Run Keys Using Reg.EXE Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) aa87efb252a9cf7bb1fb0114336bd08c338bc9046dd498d187c209cd94ddbc6a 159823 10611
PSScriptPolicyTest Creation By Uncommon Process Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) d6ff8dca8c8ea9fa750972dd032542746369179e3aaceccc1c3f2cc2a35f5d25 158547 3380
Automated Collection Command Prompt frack113 Sigma Integrated Rule Set (GitHub) 511fcd38b1cd4057f3b3568707032548bac72899a4b3c932f3614c6d89d417bd 155197 15
Suspicious Call by Ordinal Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) b7eb83db20f6f8b5f580e107c2b6816110a31869a94de5e2797d917335d9fbc0 148059 99051
New Service Creation Using Sc.EXE Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) 9821e08a6d71e81d42d38e95e4265f2df05a9e00e70a874249d812f403a8c789 147706 1403
Rundll32 Execution Without CommandLine Parameters Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 87574dead19ceb246e10ccb4cb4fd5009c71c46de0d77965d2170bfafc2c3b14 147318 1399
Chromium Browser Instance Executed With Custom Extension Aedan Russell, frack113, X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) 37d47e5fc375cac096ef3e0d98b28b26d7e9e45f3b65373c8e1d5bb6d8e22b7e 131513 59193
Remote Thread Creation In Uncommon Target Image Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) ea7ec9e92c165a4cef023fd658ef72279f03378ab53f4481eb973ecb2171b193 131000 979
Stop Windows Service Via Net.EXE Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 5b84c64b930b911c8206935d6c61b2a128347a34d495da3ea3523cdf5397c3ef 128549 35425
Python Image Load By Non-Python Process Patrick St. John, OTR (Open Threat Research) Sigma Integrated Rule Set (GitHub) 433ecdf8469138ce151b9e283d8e892c2aaec8d0aa9a1f631efac7da11cb1ba8 128446 9659
Suspicious Schtasks Schedule Type With High Privileges Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) e36b579d4bc4ef49ede1d82dd08ec1cba660d105c6f037d12ecf79b434617e88 126588 3460
Powershell Create Scheduled Task frack113 Sigma Integrated Rule Set (GitHub) 60d527fe5a592cbe8e98428d1412743b909d5625ec8bc91d20e8b6ee8b36db20 122237 44315
Schedule system process Joe Security Joe Security Rule Set (GitHub) 02b55b29ddf740930b68c311ca7cd59354f8c35ceda86d09a3fb06f08b760857 120685 252
Disable Internal Tools or Feature in Registry frack113, Nasreddine Bencherchali (Nextron Systems), CrimpSec Sigma Integrated Rule Set (GitHub) 86c36bfac526414900d3b4c6f66d0b7bb2cf11a511b7ad65c486685dc8d4d05f 116441 639
Read Contents From Stdin Via Cmd.EXE frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 0db9fba426142aca003830de31e38a7318ed0a3a299852f6bc4cbe8bc905515f 113969 1770
Suspicious Run Key from Download Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 9bc88dec9bf37149ee55ca532e26602ba2ef11e86aa846ab6e0e461f12768b4c 113775 993
LOLBAS rundll32 without expected arguments (via cmdline) SOC Prime Team SOC Prime Threat Detection Marketplace 2fd6d2b16365ba7157eee4934b406ac7d530b4ec62cc1b45c69ee4f07989f139 112703 6608
File And SubFolder Enumeration Via Dir Command frack113 Sigma Integrated Rule Set (GitHub) 7752bbd4e940ef58081260cfa45b4ac6b149e2cecb836d79f5e61bfbdc237105 111559 10636
Suspicious Windows Service Tampering Nasreddine Bencherchali (Nextron Systems), frack113 Sigma Integrated Rule Set (GitHub) 941abf5111763a135c88b4f6437475eb4c99e8d4c3ebdb4b74e30321695b0fa7 110362 8670
Suspicious Process Creation Florian Roth SOC Prime Threat Detection Marketplace f09d5248ed8fc1a93251158bfda71f8144ccaf37fa922416ccd897498bff7c55 108781 2944
Suspicious Double Extension Files Nasreddine Bencherchali (Nextron Systems), frack113 Sigma Integrated Rule Set (GitHub) c9e528bd3557dc88b06bd5d2dfbadd96e24026bd2d890a2604febd2829c3146b 108485 148
Suspicious Script Execution From Temp Folder Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton Sigma Integrated Rule Set (GitHub) 96d2c399118cab5d249093badf4a85f0ef1889872b0191bdf131bcabc0994681 108236 14540
PowerShell Initiated Network Connection Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) b5e9f310ab6a8611ea1b7b788e712f0f6bf452c3092675694cf6256931874071 104331 35258
Suspicious Add Scheduled Task Parent Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 66d80afb92c9db3881829096827fcacc7b8a697c3ceeb3318163ce83367f394b 102812 2435
Disable Windows Defender Functionalities Via Registry Keys AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel Sigma Integrated Rule Set (GitHub) 387844917f76d926b5dde6a796bcdb423a54d6df4ab736e7752fb73dc931e400 101980 735
Self Extraction Directive File Created In Potentially Suspicious Location Joseliyo Sanchez, @Joseliyo_Jstnk Sigma Integrated Rule Set (GitHub) af7095d7af79bbd5d71771ff686f1cfff97b7c8e0f56cb180a29d9eba0df9b1e 101234 80
Windows Defender Exclusions Added - PowerShell Tim Rauch, Elastic (idea) Sigma Integrated Rule Set (GitHub) cf863dff3d564c975d28d336cb7981fcd6956e6fb9afbd2794f600b130e83171 97025 1440
PowerShell Module File Created By Non-PowerShell Process Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) b8c95f5909e68be942c69ab250a3b47557e33b2d1d582cd72e665210efeadb8f 96786 331
WMI Module Loaded By Non Uncommon Process Roberto Rodriguez @Cyb3rWard0g Sigma Integrated Rule Set (GitHub) fb092b3aee3feb316c048a1249e1ac9639a63cac318318afd45bf38887b31b0c 96217 11004
Unsigned DLL Loaded by Windows Utility Swachchhanda Shrawan Poudel Sigma Integrated Rule Set (GitHub) 683818f24875a562c0b792edd4183d333b6b0b284ca8a88cc47fb2c9ae5b1473 95967 26817
File deletion via CMD (via cmdline) Ariel Millahuel SOC Prime Threat Detection Marketplace f9333cf120369debd56e4e238fffa10bdb2a1497c11e08a082befd02f9f3bdf2 92934 39794
WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript Michael Haag Sigma Integrated Rule Set (GitHub) 8b884f70bb47a8e06faf8f548fcfef77fe3802d22c310c4cdfa01f35cb030bac 92372 21441
Potentially Suspicious Desktop Background Change Via Registry Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ) Sigma Integrated Rule Set (GitHub) 5a6c8cc8cab203cf6f2333e64a60bd47d75fb197ebae1de9ed494061e525a58c 90633 282
Potential Dropper Script Execution Via WScript/CScript Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2020feadc9b3cf47558c219948361d9d3eb5347af91135f21bf711f6032bc817 90400 22288
Potentially Suspicious CMD Shell Output Redirect Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 9312dc563b7e9a010a22b457fb7cd94e9c686b75dc20fcf8a10236dda0e5e2b4 90366 4995
Potential Product Reconnaissance Via Wmic.EXE Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) 04969458bf2b005665d6b29fa937ccdfac26516eac5746c80ed78581033094c3 89084 3415
Office Application Initiated Network Connection To Non-Local IP Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth (Nextron Systems), Tim Shelton Sigma Integrated Rule Set (GitHub) cfd44c3835317e846b18021a9060f4b9b011294ec53eb3ac1fad568abeb37922 84567 69787
Windows Binaries Write Suspicious Extensions Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 6676ee2bf136155325337ad27ca431e57ff815b4fbddfaf94908c8ae566aa5b6 83443 2400
Winrar Execution in Non-Standard Folder Florian Roth (Nextron Systems), Tigzy Sigma Integrated Rule Set (GitHub) 99b7b3abf0ce8f702d10cc3f120ed16591df3c13fbda30b46e0623d93cdac439 82962 14066
Usage Of Web Request Commands And Cmdlets - ScriptBlock James Pemberton / @4A616D6573 Sigma Integrated Rule Set (GitHub) 6291f85314c7d9966be831c56d3cdfb30f42c84f599273e73dac5c95e1122abf 82360 14464
Set Files as System Files Using Attrib.EXE frack113 Sigma Integrated Rule Set (GitHub) 62ce96b648991749ff9b9ccc7dafa1d8da64d6490e9f469683f00fa248ef9336 81752 1375
Shell Open Registry Keys Manipulation Christian Burkard (Nextron Systems) Sigma Integrated Rule Set (GitHub) cd6c2801be2f14154f9616435303948eacedd79025bd0646cb3c34bb536b7cab 77402 41
Net.exe Execution Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements) Sigma Integrated Rule Set (GitHub) f1048c602439313e72f67c634350106ba7b709512529457a6f0a5eca6835bc89 76282 14960
K8h3d campaign (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace 2e5a93340aede0794b671d3b3d020fb719a3985e78a96970d36c5c326f2fef34 75119 16923
Direct Autorun Keys Modification Victor Sergeev, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) b5f76af9d8101930af8d4fee71f3a5395b47eff6bb88e581db02bf890242d79b 74854 10516
Change User Account Associated with the FAX Service frack113 Sigma Integrated Rule Set (GitHub) 26eb124f6709979c69bbb0025f3a401c81cde2ba2f83098c32504f896490fc2d 74627 0
Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location Joseliyo Sanchez, @Joseliyo_Jstnk, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) c01e7ec6f86a4d6c135bc43d1a4e4a012bf97c07c8bb4238242fe32f06ea6d09 74216 251
HackTool - Windows Credential Editor (WCE) Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 8c09b5d8aeac44d4ad6b76333ab77edf4453d9c7f7db00d879591acfc9f98479 73261 19
Floxif Trojan Ariel Millahuel SOC Prime Threat Detection Marketplace 98d1e74d54870538bf25e55522e0e31814ceaa32679120ff66addce78f4c461d 72110 1725
Hardware Model Reconnaissance Via Wmic.EXE Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) cfdf6fdaa1841541e46a9c7701402dd4782cd08947692cfdcf86532c87ea3dbc 71136 2642
WmiPrvSE Spawned A Process Roberto Rodriguez @Cyb3rWard0g Sigma Integrated Rule Set (GitHub) 1429a6819ff25aad68fb09601fb0b63c4be24919adfd25c4ad925ef8d47d8f22 70857 107
Dynamic CSharp Compile Artefact frack113 Sigma Integrated Rule Set (GitHub) 764276dba9654bf07d000fa390ae98de360ac172927cf3ef64f2db6c5b9be3b2 68823 9816
CurrentControlSet Autorun Keys Modification Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) Sigma Integrated Rule Set (GitHub) 5bddd3dd0944d27f3ff8b03e8a8a01f5a9d14540ea1779da5683fe601557a364 68771 1399
Rundll32 Spawned Via Explorer.EXE CD_ROM_ Sigma Integrated Rule Set (GitHub) 63bcc6f98c4a5594772428a329b433392d70f18a841926328607f303f3d782a5 68139 827
Hiding Files with Attrib.exe Sami Ruohonen Sigma Integrated Rule Set (GitHub) 5c3ea6806114163b8cdf5735aeb07e702ab63e0e486f721df84cf675e2b0a04b 67140 1365
Suspicious desktop.ini Action Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO) Sigma Integrated Rule Set (GitHub) cdd5a8ff564f3632d9613d1f4925baca8be40a01fe14c7ba3e30f51bf1ff3829 63139 2031
Hidden Tear Ransomware Ariel Millahuel SOC Prime Threat Detection Marketplace 6416d92c1d6493914510053de27fbb52201520df66cac075111034d37aac4194 61984 24961
PsiXBot Malware behavior Ariel Millahuel SOC Prime Threat Detection Marketplace 63753d667c596fd59cca6de277c7a4f8062dd47fb2ae19a1efdda0cbb8d7692b 61972 24951
Orcus RAT detection Ariel Millahuel SOC Prime Threat Detection Marketplace 870bd93000dae7789508610f80cf9f2862f3b3e9fefec9b3cba32617a75799cd 61970 24951
Suspicious Double Extension File Execution Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 5ead81ee12f2097316af35270a1ac0f8623db054349c52ef366fc42a4b7d2de2 60653 139
PowerShell Web Download Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) dac677b84d14788387f1c92fd6733396974f070639fca6be1bbf50df44b426cf 59860 9415
Dot net compiler compiles file from suspicious location Joe Security Joe Security Rule Set (GitHub) 76e8bb8877ab40bd84b14fc93daffe9ff7ebe9440ce09916b5c63a302d62c918 59240 16570
Swisyn Trojan (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace 173f49a095aef2bc0480b5f8a8ae6c2d0e4125f9096d618a3865346b34d726fa 57771 115
Registry Disable System Restore frack113 Sigma Integrated Rule Set (GitHub) 39ac4b0484423463b1d746fc5446062ea1299bec08a2dd2bc058efcd9c06f2e0 57233 21
Usage Of Web Request Commands And Cmdlets James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) f92451c8957e89bb4e61e68433faeb8d7c1461c3b90d06b3403c8f3d87c728b8 56902 10246
Oilrig Ariel Millahuel SOC Prime Threat Detection Marketplace c01baa2540aeb8f23c067318100db0ab3618e37acf7e219372e750398969c606 56166 32529
Suspicious Execution of Taskkill frack113 Sigma Integrated Rule Set (GitHub) cd06da2f3978bdb24b3f3c8f83c7df917a910c6b29921d0e375e418f340d8f3d 55778 8572
Potential Dead Drop Resolvers Sorina Ionescu, X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) 1aa956a1fb5e5e7293864d3c9941d7469eae4a2c837614bdc2a6a741671526ae 55336 2426
Use Short Name Path in Image frack113, Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) a913250de417b0235e4fbff14e07a25585d216d2000ee8ef314227987aef7eb0 52661 13196
New Firewall Rule Added Via Netsh.EXE Markus Neis, Sander Wiebing Sigma Integrated Rule Set (GitHub) 7b1f3cd9ca9b55feb5fdd5c8e1821348f2d78745282b41055af44f88df612112 52248 3253
Windows Defender Exclusions Added - Registry Christian Burkard (Nextron Systems) Sigma Integrated Rule Set (GitHub) 795fba906ef1026c4e4d4ae583b085f3f640182a288987bf4d43695ea7e62992 49856 339
Suspicious Execution of Powershell with Base64 frack113 Sigma Integrated Rule Set (GitHub) eb75f9de2201bfad4ef177dca85b0b8fa8e5a86ba2357af5301f72acbc5eb144 48887 1076
Regsvr32 DLL Execution With Uncommon Extension Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) c0cdd12b4805f2aebecbc0415332f2594acf1ae6d8d82da086eeac9a84bf0c37 48286 5265
Drops script at startup location Joe Security Joe Security Rule Set (GitHub) 196a9c9222e3b003ccb0caadc29931d851129ba863f99545299786a032864d12 46830 503
Suspicious DotNET CLR Usage Log Artifact frack113, omkar72, oscd.community, Wojciech Lesicki Sigma Integrated Rule Set (GitHub) d3c65dba4df23fb384d566a6730f08957cd6e906ab86db5a042c01a5c4258230 46682 22198
LatentBot malware Ariel Millahuel SOC Prime Threat Detection Marketplace f5653d51811614b162ab7311b24033c85bf166bbc322d83f4f72d0b9a366a01f 46540 17468
vbc.exe execution. Den iuzvyk SOC Prime Threat Detection Marketplace 7f5e752d29abb27ef7222f5171fe6719092aa64cb1a11187e75e3efd277216b3 45501 135
Suspicious Executable File Creation frack113 Sigma Integrated Rule Set (GitHub) a3e8f1f39ee9f212f863aa80fb48e783e942fa1db242be073c5647888fd6b094 45153 687
Script Interpreter Execution From Suspicious Folder Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 92acfd50d9fe4d995d6998a5346e4e031ea037d422458bb4f74555a52ffc886c 44942 7385
Modify User Shell Folders Startup Value frack113 Sigma Integrated Rule Set (GitHub) 0799d32e125d6df849ced4dc75e232438c118a816477d3f80a390cbd8b4d07ef 44810 106
Potential Binary Or Script Dropper Via PowerShell frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) bda626dd3bfb65bcce23cf31a18f15b58628dc48b2bb5cd9fe5f9ea5f9a3cc8c 44585 2811
ADS Zone.Identifier Deleted By Uncommon Application Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 43c6ce8bdbd683e1a7f4fb9b49a3a8236621ff32e67fdf0987c5770097ef376c 42450 5355
Shade Ransomware (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace d8f0141497fc47a78fbf41591174881fdf0e85f2937b08befec5c6273f8867d2 41867 151
Sysmon Configuration Change frack113 Sigma Integrated Rule Set (GitHub) 953121a751fbc01b581e57dfbcfb08d3f714fa9df54e4180dfb7564c3b2e3153 41794 15833
Use NTFS Short Name in Image frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 53658db80063ea16a40c90c24fa4cdb4a146dec6685cf48c0167318df2cbe20f 40302 4688
PoetRAT detection Ariel Millahuel SOC Prime Threat Detection Marketplace a9e98f5066d90fefc6c08a2a98baaaeecc9dcfccf65c96170128a898353b6d50 39857 30413
Suspicious Volume Shadow Copy Vsstrace.dll Load frack113 Sigma Integrated Rule Set (GitHub) c79aa27a6bc774dc430e35f8d05d743b7bea3638a8776f9e8c3ba8f7188a856a 39771 10181
New Custom Shim Database Created frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) c028d3fbfe3db756b5129f320616cde63b9929b02e91fb76c1b12fb726eafb71 37992 61
DNS Query To Remote Access Software Domain From Non-Browser App frack113, Connor Martin Sigma Integrated Rule Set (GitHub) 210890087c5c0874ddc8155130ae1218d789f501e70a75ad47c71bbbc76004af 37941 10452
Dllhost.EXE Initiated Network Connection To Non-Local IP Address bartblaze Sigma Integrated Rule Set (GitHub) 0469df5507574c65082f62410c1cc9e493ba1daeff82396b38a60516c6f4187c 37375 7912
WMIC Loading Scripting Libraries Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) Sigma Integrated Rule Set (GitHub) 022ee32433f415a35cf214d689b7c20ea4d29ed50a5be04595877663d8128997 37302 2633
Amsi.DLL Load By Uncommon Process frack113 Sigma Integrated Rule Set (GitHub) 839b8da98cb18a93a4c803f0e372af5098133357d4e2c35fd9f75cd01bbd43b1 36948 3931
Service StartupType Change Via Sc.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) b55af83c751d2c7bca8dbba245a97017e34109bff34fd50b02f60a91111ea703 36353 6980
Stop Windows Service Jakob Weinzettl, oscd.community, Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) 9afc79c8a56e6e5c4cbd55d203a7dce8efc4ed28aa315b736c842a88b1d3dd0e 36315 6906
Dynamic .NET Compilation Via Csc.EXE Florian Roth (Nextron Systems), X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) b39586c79bf4d0d43c937efa6129ebb6f0b2cf03b7038a3a8234f84c147600f7 35737 6449
Tamper Windows Defender - ScriptBlockLogging frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) c14e1f7f13c2bd7f209d1a9b75c7c313606e7e245601bf31765f2770c858ce09 35456 268
DropboxAES RAT (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace 8c558244a29064b6842314ce986116d2007b1087f6f8bb45ae883911d0155549 35119 14785
Suspicious Network Command frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' Sigma Integrated Rule Set (GitHub) 76a1e5bc5c7d4b95d8c382b4ecefb6a628ea4fba6cbf029fbb3cc32d36dcce57 34696 6257
Suspicious PowerShell Invocations - Specific Florian Roth (Nextron Systems), Jonhnathan Ribeiro Sigma Integrated Rule Set (GitHub) 7d262d8417cb03b2a9d2b935ae55980f22abc3aa7cffc36e57eda761068226dc 34168 581
Suspicious SYSTEM User Process Creation Florian Roth (Nextron Systems), David ANDRE (additional keywords) Sigma Integrated Rule Set (GitHub) d0b906c9286d892a8434845afa7551135e37841bdace5aa7fdf1c6bd9a823c73 33510 258
Scheduled temp file as task from temp location Joe Security Joe Security Rule Set (GitHub) 90af0ea1f6d871f169dfb41b18545bf456f980c5d75f60f1293c34f071f6a31c 33146 202
Start Windows Service Via Net.EXE Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) 3edfb66bbbe5056c7df0064ed6164a68632d8d476ab015091e0e33f5159d9052 32686 6625
Windows Shell/Scripting Application File Write to Suspicious Folder Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 248820e948efae04f89b524348c8398f0b278befcaec4fafddf73e9c5dda0353 32679 398
HanaLoader (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace 38853c8efaf750ffd744961ebcbeb037146acaabb9ca85c445af59f87e98e44d 32113 12550
Msiexec.EXE Initiated Network Connection Over HTTP frack113 Sigma Integrated Rule Set (GitHub) 4a7e3b52f438365db6b61867f157e3bc434b40fb9916eba681bb857e7a1041ee 31448 14232
Potential DLL Sideloading Of DBGHELP.DLL Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) Sigma Integrated Rule Set (GitHub) 601376b375400e92dd2beb3ddd52c4c8151878f99ed7a406718b7672b4e3722f 31166 6416
Load Of RstrtMgr.DLL By An Uncommon Process Luc Génaux Sigma Integrated Rule Set (GitHub) 7d0d3be8fa405f5e34c2e0cf9eaa345cacd60eb5244b50b23dc54c4785bc7512 31001 4516
Potential Maze Ransomware Activity Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) d807dbfa78ad565695bdfaa5793858aa25a153091a49b554975f48182344c78f 30921 0
CSRSS.exe spawned from unusual location (possible mimicking) (via cmdline) SOC Prime Team SOC Prime Threat Detection Marketplace c3e407003db6c8b95e5a7dcbea08bddf8b53b265400c2feb32abfa523336257c 30810 44
Potential WinAPI Calls Via CommandLine Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 7d53de0fb9c4ee79b8ab06605cd3a8faaa400a586d577c9a7d692f059a3ac78c 30531 17480
Suspicious Volume Shadow Copy Vssapi.dll Load frack113 Sigma Integrated Rule Set (GitHub) e3c2bad5a5af60244d315d33a3dc0534c602553aaeca2a895ba4ef848a637abb 30391 6986
Capture Wi-Fi password Joe Security Joe Security Rule Set (GitHub) 2e31c80fe0affb3753d7456883282043c5795a0abd5906589d7b67f0eb04076e 30195 514
Use of W32tm as Timer frack113 Sigma Integrated Rule Set (GitHub) c36744b5f28fd16a3d12551b5ab3040cda78b8771cefa8acaf2dbdd269e4af2b 30066 2478
Potential System DLL Sideloading From Non System Locations Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) e4b059c53908c7008669e834c3c05ad45881842235e14670eb30e91a8df736d4 29958 8237
Windows Defender Real-Time Protection Failure/Restart Nasreddine Bencherchali (Nextron Systems), Christopher Peacock '@securepeacock' (Update) Sigma Integrated Rule Set (GitHub) 300832dd5414e83d23f6791c1f960c07191eea49ca183cc0ce1230b6c777f565 29836 16336
Powershell Defender Disable Scan Feature Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 452d2469c7cd2c2065eaf39a671afb28d62803ea89003d82491c0e02559fcb9d 28558 132
Explorer Process Tree Break Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber Sigma Integrated Rule Set (GitHub) d44e9b6572a6737a34b18fd89f757237729293ed9959e5be7dd05d63e7f78622 28543 2834
Registry Persistence via Service in Safe Mode frack113 Sigma Integrated Rule Set (GitHub) 876ae5900040fc2ad5fd69d8477e94869d5e147f2af5c4456d0b099844c20bb5 27947 6367
Startup Items Alejandro Ortuno, oscd.community Sigma Integrated Rule Set (GitHub) 80c9078b4f0a21412506961251c7253e037afc83c8a88cd362377082d1efaa30 27205 24364
Computer System Reconnaissance Via Wmic.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) c8e910a6a612d2b2556bdcc91dfca15a43385b8571e490ed29c46ef1a3e5e144 27075 2541
Compression Utility Passed Uncommon Directory (via cmdline) SOC Prime Team SOC Prime Threat Detection Marketplace f4fe24c510771cfebac8ea12b6e86858e92ee0807f17f8dd0e23e2dc5e1b8049 26867 568
Suspicious Startup Folder Persistence Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 3396956bf20db86e217299b41f051d8e3807a72f92450b595e46cc0a7e70800b 26626 494
Uncommon System Information Discovery Via Wmic.EXE TropChaud Sigma Integrated Rule Set (GitHub) 0546c2d1b6847c71b54cd4de2f5363edba0cdf02eb90da287ec9c110d3c4af30 26598 514
Suspicious PowerShell Encoded Command Patterns Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 12273189dbbd1ed526c045fb9a7d5e45682ba4e0a13e2e94d65376962a0bfc2e 26331 416
Powershell Detect Virtualization Environment frack113, Duc.Le-GTSC Sigma Integrated Rule Set (GitHub) 6e1823de286f8bef414c648f5738bec3bd40700cba3765da26e6500bc2d8e387 25869 6896
Unsigned Image Loaded Into LSASS Process Teymur Kheirkhabarov, oscd.community Sigma Integrated Rule Set (GitHub) 41a3e620fba7b86366fe885ba1b20dbaae2be7596e2e9b194ab65dae5e4a7b53 25482 32
Potential PendingFileRenameOperations Tamper frack113 Sigma Integrated Rule Set (GitHub) 3b132597acd67d1315d83f5f329eb2db40a281a5c93df8881e681ba8d6af5a59 25265 12196
Suspicious Scheduled Task Creation via Masqueraded XML File Swachchhanda Shrawan Poudel, Elastic (idea) Sigma Integrated Rule Set (GitHub) b0f576aead127b964909d75f26e113ee55e88fb8d2bac31fe4a5c12337b4f327 25119 249
Bypass UAC Using DelegateExecute frack113 Sigma Integrated Rule Set (GitHub) da3ec62084336efcb20f4f4e3a94268ca6c1665699d00b48e490be7fc41d2287 25090 46
Suspicious Tasklist Discovery Command frack113 Sigma Integrated Rule Set (GitHub) 54b43d3a279bdcbcca22abf416f8b57c691f2c84a9363507162ca472e30ab902 25056 6546
Suspicious Process Parents Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 339db70fcafbc2231425e99a4637ca5513d5eadd2f7807a2ad8bc9123ec81129 24643 27
Suspicious Eventlog Clear or Configuration Change Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105 Sigma Integrated Rule Set (GitHub) b8f19be4c7bf862dce0d4d1f7885f2207ddf93b3a33d8a6e16f3968c4fbb6491 24460 6008
Suspicious Execution From GUID Like Folder Names Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 08e7088e12bfe2fa4d351a66754c13a0aa7ea7b70fb40c21ce782ac7321e54e4 24429 13924
Powershell Suspicious Win32_PnPEntity frack113 Sigma Integrated Rule Set (GitHub) 7cf1e08df2c1e71b9ecbab0ba652d8d7adc890f53db8c630b859d32064f3eb3a 24191 5920
CoViper Malware Ariel Millahuel SOC Prime Threat Detection Marketplace 17affcf8751489416a8bdd1c7819271220bd9bdd11f595b644b2966c3e3b1b80 24043 1913
Cscript Visual Basic Script Execution frack113 Sigma Integrated Rule Set (GitHub) 140aa55cb94f2ee1de560a395631283b557b8f771117a7991289298e2c6e7f6e 23826 5734
Windows Shell/Scripting Processes Spawning Suspicious Programs Florian Roth (Nextron Systems), Tim Shelton Sigma Integrated Rule Set (GitHub) 80bbf1ed6106205ab2926430c9634286f976b2fee4357dbacddec45b979a4422 23372 756
ChChes Trojan (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace a515be8db5d265bf43ba29f21c53f4e482fa0f7db4acc10054e85bc0c516a7ba 23337 2617
rundll32 run dll from internet Joe Security Joe Security Rule Set (GitHub) 232de5bd44720ce2fb34b305f8385e685f63ee5e14d8845368072b2fa100a5f6 23247 16877
Suspicious Windows Update Agent Empty Cmdline Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) bfc362a89797a5fb7c7a15aee27b5c62127fff278db59f8dad27390ea34e3e1b 22890 26
Root Certificate Installed oscd.community, @redcanary, Zach Stanford @svch0st Sigma Integrated Rule Set (GitHub) aaa442da8065368308d21225f195c966f7aacd66f4a7703b37f095739a0752d4 22732 5610
Suspicious Encoded PowerShell Command Line Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community Sigma Integrated Rule Set (GitHub) 09a6527b05920e47aecbebf5df306d1c194b850076e73d74c3b9ead23b654425 22497 345
Remote Thread Creation By Uncommon Source Image Perez Diego (@darkquassar), oscd.community Sigma Integrated Rule Set (GitHub) 5242ae9a7c0bb9967f443e598ba4d27edfa69ca76b6fbb7ad0d569f7e9067668 22288 79
Execution Of Non-Existing File Max Altgelt (Nextron Systems) Sigma Integrated Rule Set (GitHub) d2b7b95657238f7c078b9a6a17689a6184c1cf349ffb183b174ad2bd84681b08 22237 1401
Process Reconnaissance Via Wmic.EXE frack113 Sigma Integrated Rule Set (GitHub) c64577166c54aa12e6fafe9322a15fd35e2e359c52a4b545c470853d848557ec 22204 2377
Execution Of Script Located In Potentially Suspicious Directory Joseliyo Sanchez, @Joseliyo_Jstnk Sigma Integrated Rule Set (GitHub) 444cf775e51f1f48a4f280cf4a392d9fa3244628404c303864ad4b00325530c5 22131 14492
Sakula RAT Ariel Millahuel SOC Prime Threat Detection Marketplace 1c2774ed7c4cad91219d007aa7101b09d19b442613cd2e3fc453726a7abd1b1a 21947 8
Access To .Reg/.Hive Files By Uncommon Application frack113 Sigma Integrated Rule Set (GitHub) 14975883a22bbc5b0ee6745b2bb5cecf6a97d5b3bc38e7550a98401292959bc1 21856 9327
Net WebClient Casing Anomalies Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2b81c8afee92062579f4f19ea901c1194542107857913a32a13108debb721c71 21494 222
Local Accounts Discovery Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) ec63f6d5ea6cf1a23c7c491b28d6b350219d23a95ea95516ce0256730fb7912c 21434 3550
Network Connection Initiated Via Notepad.EXE EagleEye Team Sigma Integrated Rule Set (GitHub) eebf53f371a18d7f8d6992a935d2fbfe811f3d78552949a0597456693cffd553 21383 5
Suspicious PowerShell Invocations - Specific - ProcessCreation Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) dc48d8314d305b4c97b9f813958e20738bb989b83928e70ea811bb7c0bf7e197 21288 322
Potential MsiExec Masquerading Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 709fa572c6d4a06b81742c9cefd264b1debafc1f9b2aedc9798d5cb749d52458 21282 279
Potential Suspicious PowerShell Keywords Florian Roth (Nextron Systems), Perez Diego (@darkquassar), Tuan Le (NCSGroup) Sigma Integrated Rule Set (GitHub) a5f575ade1f2aaba452086d3418d8a893e94b28e30da42ad98b58df4a4fe9c2d 21267 620
Bypass UAC via Fodhelper.exe E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community Sigma Integrated Rule Set (GitHub) 4793e3844bd4ee212795ee4a6bf167b869d51840732845bf0d2aa41f7481e6d7 21259 22
Suspicious File Creation Activity From Fake Recycle.Bin Folder X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) 51a5b51db51679c45a7aea23d8e25f242e096a01ad35754b45acf5da3ec98440 20735 28
Potentially Suspicious Rundll32 Activity juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 0d7b38274ada42870a9b5fe59433cc701b21c18ef543b8c653d2e5dae0f93c0e 20622 2063
Office Application Initiated Network Connection Over Uncommon Ports X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) 338327c7da2a9fd3fa20080c302384046430050cf2eb53403c7334a8bc26da19 20367 14500
File Download From Browser Process Via Inline URL Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) d67139d73a6d7369e526a363923c3f504c081ba52a8f8556080f518c4302090f 20195 4679
Access To Browser Credential Files By Uncommon Application frack113 Sigma Integrated Rule Set (GitHub) 74ea3fde96df11352e7b3c70bce437f83f170b5677efeb447c7f33d001142691 19811 592
Imports Registry Key From a File Oddvar Moe, Sander Wiebing, oscd.community Sigma Integrated Rule Set (GitHub) d17374b215c7dec3cfb7a7588c3e1ba10e710be57c03928275fcfd3c65bd187b 19765 1574
Suspicious Execution of Systeminfo frack113 Sigma Integrated Rule Set (GitHub) f2a81aa24c1d19a09711179a71cd58fe057ab277cbef8632cc6a9281d5cf87dd 19475 1513
Potential DLL Sideloading Of DBGCORE.DLL Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) Sigma Integrated Rule Set (GitHub) fd3370668fc80cce04ee89dae971b4c8e5395a5e40e431348a67c8a75b708bee 18960 3010
UAC Notification Disabled frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) ab62d934eff1c4f8f95b26a1028eb6bf4516b440b09c002bfb87100849b44a2d 18872 0
Suspicious Chromium Browser Instance Executed With Custom Extension Aedan Russell, frack113, X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) 5511a10e5fd658ddc15e8b7fa4c8cc7cd60289f6e54d703f50a9f3a8134ab796 18011 3277
ServiceDll Hijack frack113 Sigma Integrated Rule Set (GitHub) fb1acd0dbf62447f03607a7716d5d6bd489403a486bd8807beba004bab482bdd 17894 707
Sysmon Configuration Update Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 63576d1c84436ef61b9f2631071146cbf42394a36c3e1a2d0ce83bc2e7b2fcc7 17785 7972
Interactive AT Job E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community Sigma Integrated Rule Set (GitHub) c288d5891a082dd1f38d14b832960d7e1b88651dc301c6985be8e66b561bf95d 17619 11
Windows Defender Service Disabled - Registry Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) 5800379600db7e280b56236f291d8f474f097bed4c21c02367049347a8febc40 17619 108
Credential Manager Access By Uncommon Application Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 24966e29f8ae02e09ad40f3d903269a0ead88427f40a35139eb4d628aa926547 17585 50
Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 98a4dc6e84bd2b7671587aaaaa8a8ae8fdd2f8d8880705d12e11f767c77df7c4 17380 451
Office Autorun Keys Modification Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) Sigma Integrated Rule Set (GitHub) 0533bf39f662d089d6f317f51a9329a2865ffc0d84552c58c39a8d35672474a4 17224 10337
Hacktool Execution - Imphash Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) e5df091eea8e09dc9859059928ad9ae436f75c7bc67be324d1582e24fe627533 17088 50
Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 01b1cc2515aec2562e5e8cd3c88a60677a1acd2d680b289cf67fa493abe433d2 16412 949
Potential In-Memory Execution Using Reflection.Assembly frack113 Sigma Integrated Rule Set (GitHub) 912f22774b3e6d5ee33f034551a616aae59ae320fe812cf9c2010432ca80df77 16203 1459
Suspicious Curl.EXE Download Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) d86dfee683d0e96803dc8a153d15f7208afc774045e2d885ccaec10bdcef7831 16136 2682
Path To Screensaver Binary Modified Bartlomiej Czyz @bczyz1, oscd.community Sigma Integrated Rule Set (GitHub) 71c11c0cc84fa6ba12489ce6fb7a0c5729c809f47cf296aa025e7f514394f01b 16129 323
Suspicious New Service Creation Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2e9fe41f275cf8282c3e18ce1605f533249acb7b3762d23c128bd0febd22a085 16086 2458
File With Uncommon Extension Created By An Office Application Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 5c100e376f43b26c0279b6ecab437d35499a64f73cd9c1b180f62e840eebd2a6 15665 231
Suspicious Add Scheduled Task From User AppData Temp frack113 Sigma Integrated Rule Set (GitHub) a219a0bf27f7f5f1acdc1fbdd83ff3d3f3711edd5b8111b967d8eb1575aa3b85 15663 174
Msiexec Quiet Installation frack113 Sigma Integrated Rule Set (GitHub) 269369cff6a753f9bd7a50d72f15b83a86911e2d6d46e1a38561ac385481c372 15396 5827
Suspicious PowerShell Parameter Substring Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix) Sigma Integrated Rule Set (GitHub) 1929e853315b3b5398e0837b2b8928a28ae8eec0611ebb41efc5e6b33e78cd6c 15163 1061
PowerShell Download and Execution Cradles Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) e88280a32f81c8575c3cb9b02910d867498fbf28ca75ca922ad991faa3a68879 15150 442
Potential Dridex Activity Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 11ef2fbb89770dbec860f554810a4e34a33e1326589f9eaf562412ceba567f00 14956 131
Registry Explorer Policy Modification frack113 Sigma Integrated Rule Set (GitHub) 767b140d3dd4f5df18244f9d3f3a79b259843572bf19ec0cea5f646e1f350c6f 14931 202
Outbound Network Connection Initiated By Script Interpreter frack113, Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 8d980d509aaf7ca8f2c6cd9dd23e8ea6eb18328ca64711cb6e059ecec024fe0a 14719 1073
Pyvil RAT Ariel Millahuel SOC Prime Threat Detection Marketplace 1b78637b79c8dffe83e4631ca8812c2cab4799547d30fb65df21e42f1894053f 14546 6518
Use Icacls to Hide File to Everyone frack113 Sigma Integrated Rule Set (GitHub) 2b816898a4d295bb7523cf3cf83af84a641b8f2a145e2ca8b12cdf2ac8193a13 14496 36
A Member Was Added to a Security-Enabled Global Group Alexandr Yampolskyi, SOC Prime Sigma Integrated Rule Set (GitHub) ba8140e5173f7647dc01d2d1aae82bf84283f52c7aece9e9a61f7f5e75ffe53a 14363 594
Potential Homoglyph Attack Using Lookalike Characters in Filename Micah Babinski, @micahbabinski Sigma Integrated Rule Set (GitHub) f311f45a27e981db5c1aff6b1880679af30210f2426d026f442a886afec6ac05 14357 456
Access To Windows DPAPI Master Keys By Uncommon Application Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) ec1d4770fddf21948d437ee8ade88904c7b95601bf83cfe214687e2611dd530c 14299 20
FlowCloud RAT (TA410 Campaign) Ariel Millahuel SOC Prime Threat Detection Marketplace 159df9b8abe4902ba69f24455a788a64edcec473e20be350469118e1c586299d 14240 938
Network Connection Initiated By Regsvr32.EXE Dmitriy Lifanov, oscd.community Sigma Integrated Rule Set (GitHub) dc313eb40a68f81f4e6cc8b4658215600b2bac992cb67ea873d40ba70e41b7b3 14199 107
Local Network Connection Initiated By Script Interpreter frack113 Sigma Integrated Rule Set (GitHub) d2ba63dcfd40541d69308865939969a6282a95c29b46e0eaeb0c39701b6aa2f7 14058 1050
Suspicious PowerShell Get Current User frack113 Sigma Integrated Rule Set (GitHub) c0ad3fd3010dc41b8f54cd4f911b4bf081d2d195b0e7548cdc60ebcee9250ad3 13680 8670
Nymaim Trojan (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace a9d7fe3dd2aa50123d54b48a488447b37091616c00667ae7c459bf19dd1ad2e0 13661 19
Firewall Rule Deleted Via Netsh.EXE frack113 Sigma Integrated Rule Set (GitHub) 052f94156672e1511386806889ab6346ea81a8f49f98a8610ce616ee7a9ae931 13527 3911
Potential Product Class Reconnaissance Via Wmic.EXE Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community Sigma Integrated Rule Set (GitHub) fc6236ee6917b72dac2442d623fbec008944e69e1788346494f1f98b38acb5c9 13412 328
Powershell Token Obfuscation - Powershell frack113 Sigma Integrated Rule Set (GitHub) 0328ed59c29ebeee509b67ed087523a3cbfc646542f343aa12f9b1bbd64324fe 13402 4935
Visual Basic Command Line Compiler Usage Ensar Şamil, @sblmsrsn, @oscd_initiative Sigma Integrated Rule Set (GitHub) 5cde8271bb36c24d7ac552a1d30127f3f00a08a681a90eff12e3eac68b72bf47 13366 35
CLOP Ransomware detection (Sysmon) Ariel Millahuel SOC Prime Threat Detection Marketplace 94b16fc40ce61b0527bd124b84d6a631649e579c2c571a3dc68d4f0f9ee4aa76 13325 4762
Internet Explorer Autorun Keys Modification Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) Sigma Integrated Rule Set (GitHub) 11ecb99add36c59a082a478e7c117545e6404a0b28c77c007c135739df91a489 13147 1765
Suspicious Copy From or To System Directory Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) de683a6054ff03b9c12e58c842648f759cfcf797f91dc01078d285e8f3f8e856 13075 1173
User Added to Local Administrator Group Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 534ecedeba777d436d37888757fcae6c00842f791bdcb6c39d8c804ab3c6a535 13027 291
WinSxS Executable File Creation By Non-System Process Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) b98d05d95e8a26eef6f1edf143064928002638d3a45c7a007a16c7b3bb5a9cd7 13015 1
Uncommon Userinit Child Process Tom Ueltschi (@c_APT_ure), Tim Shelton Sigma Integrated Rule Set (GitHub) 91fdd3ec700c41d38dcb9127772f866ad831ade83c48c4131aee4842d77be561 12552 44
Suspicious Userinit Child Process Florian Roth (Nextron Systems), Samir Bousseaden (idea) Sigma Integrated Rule Set (GitHub) 1170a97b19098b92c7fea421765b81d0cea10e0140d9fed3c4d0769718c4b248 12349 32
Suspicious Process Discovery With Get-Process frack113 Sigma Integrated Rule Set (GitHub) b0d225f3239543a37159ba2855ee1e7972c6bff3c83ce7aed9056599f6ee6314 12256 4919
Potentially Suspicious DMP/HDMP File Creation Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 098155535b5f140a45c1a07ea729542903d8e4bb81674f7e3a5636d6d121422d 12213 6949
AMSI Bypass Pattern Assembly GetType Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 0a84db82d1740ebcf2c704e4d71ef3e033441b714135baf3b4025983a8c4e14a 12146 9
COM DLL Loaded Via Microsoft Office Product (via sysmon) SOC Prime Team SOC Prime Threat Detection Marketplace 8f3c9743049559fb0309f2478f6d6c65e7de8ef0a27373e4c584779e3276979c 11665 8034
Suspicious Msiexec Execute Arbitrary DLL frack113 Sigma Integrated Rule Set (GitHub) 5802db25decfb533c2f29a2580aaef6b1d4833aade450592d1dc36e256141c3c 11618 7528
Suspicious Msbuild Execution By Uncommon Parent Process frack113 Sigma Integrated Rule Set (GitHub) 99aac26486266b4916c883cf9ec793784cff9e6617ed361b8c47f7972a4baf46 11570 87
Powershell File and Directory Discovery frack113 Sigma Integrated Rule Set (GitHub) febfc891e8c04ffe16ce1a9eaf5731b0a321cf42be5c06aed06252ec31cdbb79 11494 5587
Shadow Copies Deletion Using Operating Systems Utilities Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades) Sigma Integrated Rule Set (GitHub) ad5e4d4b939797a70a9aa742d979a4742c2cfedddd663fb1a43b2795c1e6054b 11413 85
Removal of Potential COM Hijacking Registry Keys Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) Sigma Integrated Rule Set (GitHub) 85b8f7bd2db84db2632bf9e5b9b9402e829785f546868fe1a62c7a6002a6eb60 11345 919
Directory Removal Via Rmdir frack113 Sigma Integrated Rule Set (GitHub) d0d48610cfc4076f9598a2787593e35702aa291f3772b3678c8025aacc26c35d 11271 5276
Potentially Suspicious Malware Callback Communication Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) c819b1c2210c6c76f29e7d15825b104bbd98de4d9561a6c86a8b158afd0d2be9 11160 643
Suspicious Service Binary Directory Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) ecf07e5502e8c93b8a8359e6bde14af9098293d382223c0ecf59834a37cac953 10837 15
Xmrig Joe Security Joe Security Rule Set (GitHub) c9f2b527fcecda6141fde1caee187052676355bc055141a8caa6c22482fca3ad 10832 21
Remote Access Tool - ScreenConnect Execution frack113 Sigma Integrated Rule Set (GitHub) 4e5183fbf4eb55f1facacd3e44e6d35245f2dea793693a25f292b52509cbdb72 10717 382
Suspicious WSMAN Provider Image Loads Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) Sigma Integrated Rule Set (GitHub) 33e7351552f382831af6bf73d86054bced055e64df091f572c94e9fc9e9a2a97 10436 1620
Potential Persistence Via Visual Studio Tools for Office Bhabesh Raj Sigma Integrated Rule Set (GitHub) c04f755b9283e9e31eead7707a061225ee4da75cf49c91823ff8aa1d7e026551 10345 5496
Microsoft Office DLL Sideload Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) Sigma Integrated Rule Set (GitHub) e48472e0a390541687c6ed6e14d37175a2e2eef8a82f796036fc7d9f7df9498c 10256 166
North Korean RAT - BLINDINGCAN (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace 6bb61b38bbb774f185f535cafe7a2fc3b848377409dde9963a571d825562c79a 10195 12
Load Of Dbghelp/Dbgcore DLL From Suspicious Process Perez Diego (@darkquassar), oscd.community, Ecco Sigma Integrated Rule Set (GitHub) 31e54e59e39fda87af874302c79fe8910fcd407edfed11f536cb042394e49c09 10160 7704
Disable Windows Defender AV Security Monitoring ok @securonix invrep-de, oscd.community, frack113 Sigma Integrated Rule Set (GitHub) 78a8ebe85ceee09aa63f018db033f8616308e95816c4f7429ba0bafe2d0995b9 9934 81
Suspicious MsiExec Embedding Parent frack113 Sigma Integrated Rule Set (GitHub) f46fb5682ba3b26a58530a0f49196fd4253c14c4e64dd7069f21357e3d079509 9878 4190
Potential PowerShell Obfuscation Using Alias Cmdlets frack113 Sigma Integrated Rule Set (GitHub) c085cde9af85b182e783b8d7b42d66d3d0efe08696b4fe7946da3d5d1a2cd51e 9851 5686
Potentially Suspicious PowerShell Child Processes Florian Roth (Nextron Systems), Tim Shelton Sigma Integrated Rule Set (GitHub) 2105a0eff0c693326dcb33bbdcfd768fd6c8825061ae9eb48d31703fabf241e5 9728 1697
CARROTBAT Malware detection Ariel Millahuel SOC Prime Threat Detection Marketplace e5937a80eca18cdaa94adaf02b89a4af91bb9605d3236af13685c8b481d9b1b1 9656 2226
Malicious payloads that are hidden in fake Windows error logs Ariel Millahuel SOC Prime Threat Detection Marketplace e55945cd70c0ffa247fd76996326089548147e223588b2b6aeef053c1c0ce613 9565 2135
Legitimate Application Dropped Executable frack113, Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) a323ff5e5edb2d7bf37ac8071bd7e0943ac4d50e99adf03671a8b5bb0eac5cf0 9422 99
Telegram Bot API Request Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 8119b0f5e55bcc32efeebba677769c41f458947ed836a43326d94ce77e2a6a0a 9392 129
Potential Defense Evasion Via Rename Of Highly Relevant Binaries Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113 Sigma Integrated Rule Set (GitHub) 6a0e84509806d4477d42410fb267c817a01015e3dcc33e48330f8db0ba9709da 9363 355
Stop multiple services Joe Security Joe Security Rule Set (GitHub) 2319d1843957b572c6e41e1d83656e12eac1e5e75f59ac1ccc309c2b00e9ef86 9359 10
Disable Tamper Protection on Windows Defender Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) bf1de3b61466c6018ee71be3f901fb544ddb30709a256ce88ddc19444b5a1ea1 9346 1
BackSwap Trojan detection Ariel Millahuel SOC Prime Threat Detection Marketplace a5470af7af21c2bc99ebc438fe841b20ec62f530e6540dc01ce42deed3ffb1eb 9297 2186
Suspicious PowerShell Download - Powershell Script Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 124bf07ac70743e91b5698e3731aae0330fc182aa58036390f2a0457a90b5341 9282 1800
Start of NT Virtual DOS Machine frack113 Sigma Integrated Rule Set (GitHub) 705bee7ec50dc3b36f21deb0d2cb6e19b1a84d8142bae256797827d59ddcd242 9262 288
Potential WinAPI Calls Via PowerShell Scripts Nasreddine Bencherchali (Nextron Systems), Nikita Nazarov, oscd.community Sigma Integrated Rule Set (GitHub) 6c44b18934e9ddd288d035d35a258c41fce2d5f5ebafc55ff866a95fb78db9c2 9101 1074
Browser Execution In Headless Mode Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 33ab0a6585e80d6608925e96cfd8ae0cbc9b1fde20f036215a29c04eff4548eb 9080 107
PowerShell Deleted Mounted Share oscd.community, @redcanary, Zach Stanford @svch0st Sigma Integrated Rule Set (GitHub) 7d4fc33c33fc31d17a2c9ee04cb6e1114c58cbeec3fa2b7cd4f5502b2d28d6ba 8867 5056
CredUI.DLL Loaded By Uncommon Process Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) Sigma Integrated Rule Set (GitHub) d95ca36c302040f620589faab34078391fb9db19ee77118e3ad298784775d65b 8863 2735
PowerShell Get-Clipboard Cmdlet Via CLI Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 405f59430cd2ef58f1b3387a7fc5708e7dd6da1082e96fe6cb359c46daa4e056 8817 191
Add file from suspicious location to autostart registry Joe Security Joe Security Rule Set (GitHub) ab2075510415e5fab5635dc30ecec20ea16d6bead9c4397297335c9520922561 8811 27
Sysmon File Executable Creation Detected frack113 Sigma Integrated Rule Set (GitHub) 89e801c894097380321f8d053ed1de87b584d895d5b7de28ee9167d1e0aa90bd 8742 2849
Reg Add Suspicious Paths frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 4ed42e9d011d5674f2f07c78f41b8a2bfd742ee689b7a57fce8316e002688075 8708 865
Local User Creation Patrick Bareiss Sigma Integrated Rule Set (GitHub) 8a5a3c45e4c0e75583d9be0aa76f935e9be8f878840cdddb49890be7a65180a6 8679 350
Suspicious Binary In User Directory Spawned From Office Application Jason Lynch Sigma Integrated Rule Set (GitHub) fb4acb832d8776634f7ad5e60b2ae16c329118186cc8dcf04d1ce959185c6264 8611 11
PowerShell Core DLL Loaded By Non PowerShell Process Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) Sigma Integrated Rule Set (GitHub) 309cda68f6a1f23a3de3d6604cd71d89098ca2472c6cfaae572a5d4375389247 8563 956
Console CodePage Lookup Via CHCP _pete_0, TheDFIRReport Sigma Integrated Rule Set (GitHub) 3bda98164bb253cb435c3bc30ce36f9f570b187e1481bf7feb1e9468422fd79c 8510 1737
Unusual Parent Process For Cmd.EXE Tim Rauch, Elastic (idea) Sigma Integrated Rule Set (GitHub) 16502dbca7468597f52d37ca5a5a0f5c904c43f0ca2b6726d890a67a63b68516 8469 63
Greedy File Deletion Using Del frack113 , X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) c1c4c35f46055951f3124f8f5791b474f919c9dee2a42d1e737590c5eb7169a4 8343 23
RDP Hijacking. Last logged-on user changed. Den Iuzvyk SOC Prime Threat Detection Marketplace 13ed88b8063438c80d6eb6c7e9aeda38d201453d83fa949f65867ced46825db3 8158 3635
Suspicious CLR Logs Creation omkar72, oscd.community, Wojciech Lesicki Sigma Integrated Rule Set (GitHub) a0cf7d21374ebc3567492775f48033b67b0a81b95521f405e5be52f2950f9d18 8098 3509
Suspicious Powershell In Registry Run Keys frack113, Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) cfe58f03c01bfef6fd133a3da09440cc5613a5dbeb310ee795cc443e18538943 8038 237
VBA DLL Loaded Via Office Application Antonlovesdnb Sigma Integrated Rule Set (GitHub) 1c4b9974eadae6764e88b6287305d477f5d777a06dd5a75e4773cea197fb1b0a 7776 7079
Suspicious Mount-DiskImage frack113 Sigma Integrated Rule Set (GitHub) 8aa937de88282ab672836441edf50f760451a9112887ad0867753ab1b9fc5a4f 7775 4627
Regsvr32 Execution From Potential Suspicious Location Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 49c4c4517c1ca707a5dfadad1b8db8afe6380c4546c944335aee3a1fadcc5542 7665 1869
Potential Dosfuscation Activity frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 3ced86caf89e0cb118bce2037de20fae8f9a70e400916dcdd9c2ee1eec7c58c4 7657 259
Chmod Suspicious Directory Christopher Peacock @SecurePeacock, SCYTHE @scythe_io Sigma Integrated Rule Set (GitHub) 859cf7876f0c68da27f3e292a5e428393e9a8004af0c330fae9787dac43b7bfe 7622 5998
Powershell Base64 Encoded MpPreference Cmdlet Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) f86d8f196029958699a0b36a9a1a254d7c1bfc594fd486ee04c1e4988965f3b2 7234 126
Suspicious Calculator Usage Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 379786e3d43f4df15525494f022a5e59f58acf961a0f2536f20ae374717a9fa0 7070 74
Schtasks Creation Or Modification With SYSTEM Privileges Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a9278f03bce6b217a82c054a78cc6ea5acfebb4b16cd25b7d6cd842bb1dcfd8f 7066 1104
HH.EXE Execution E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community Sigma Integrated Rule Set (GitHub) b0b20b09dd98169c1af4e8643b69d1bbe0cb12c553056b15d64e45d7726ff1b4 7046 6330
Oilrig Ariel Millahuel SOC Prime Threat Detection Marketplace 358d598d019422b994aa86b74a025eddf76f526b50d61f4163e79404bbe9ad0e 7045 2790
Remote Access Tool - NetSupport Execution frack113 Sigma Integrated Rule Set (GitHub) 65cfc106cf4668ef2ff3c230ac24edd977515d2743358a7e4015e31ea26a4cae 7044 112
Suspicious PowerShell Invocation From Script Engines Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) c089503ba0204ebcc3605f01ef3ba76dfff60846f2bad81faf9eae455e81921b 7038 270
SafeBoot Registry Key Deleted Via Reg.EXE Nasreddine Bencherchali (Nextron Systems), Tim Shelton Sigma Integrated Rule Set (GitHub) 4202d03bb66c7e22943582a6959ff86dea30b0493ca74ce160940b0daf7b2797 6979 52
Remote Access Tool - GoToAssist Execution frack113 Sigma Integrated Rule Set (GitHub) df5ad6e42247717e66029569fa91f85ff8a54a54497ee42527054193ce21bc6b 6948 4887
Remote Access Tool - LogMeIn Execution frack113 Sigma Integrated Rule Set (GitHub) 2d50b92426dd9dacf9cb8f8155e01c1358138fea49e2459c140ebd54d3e45990 6948 4887
WScript or CScript Dropper - File Tim Shelton Sigma Integrated Rule Set (GitHub) 858185cf49c680890b5a26787055bc3518a78b5c5f6fc2df09e5516b191cef8c 6889 238
Rundll32 UNC Path Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) e3e74fa33e688408b75baa0f3988d754504296233bf1904baa587d8b17e3c4f8 6870 2532
Uncommon Child Process Of Conhost.EXE omkar72 Sigma Integrated Rule Set (GitHub) 7b87fbdccf3c12011b709aab8b9bd4642bd61dc9880e0e1ce9ebb9901e2a3497 6744 133
UAC Secure Desktop Prompt Disabled frack113 Sigma Integrated Rule Set (GitHub) 4e15769c81d1b419d749d1781f4c9b6d42573719f4fa3d236806b7279f35d67e 6741 27
Potential Binary Impersonating Sysinternals Tools frack113 Sigma Integrated Rule Set (GitHub) 8652ffc2b3174864b7f93e2652bbeaa97cba1ce3a0949c10a85ea086c2478680 6718 323
Tycoon Ransomware Ariel Millahuel SOC Prime Threat Detection Marketplace c2a677a155b0fd75d813c22a6dc0d1632310c42fafb3c2d5cb08090c75ce491e 6718 491
Potential Commandline Obfuscation Using Unicode Characters frack113, Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 1afbb49fc8fb15fab2d75349956e426d182cdd6d06760b6d83594535a112fb1f 6593 558
Suspicious JavaScript Execution Via Mshta.EXE E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community Sigma Integrated Rule Set (GitHub) f6f3741fe71241687646386731e58cbb9eb5dd4b8db836bb8840c3d02e5462b8 6558 54
Remote Access Tool - NetSupport Execution From Unusual Location Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 0c574c15cc6c9a17edd7b81b15044dd26631d2a7f6c2d428c6d68d9816e6b84d 6557 431
HVNC Attack (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace 0643197645f9051600e631515cbe8f526e02ae4556e6125c8f9bf640dcc17849 6543 217
Milum malware detection (WildPressure APT) Ariel Millahuel SOC Prime Threat Detection Marketplace 30fcf3924a898a9d1747e89068ab2990c77ca3914a94aa78466d28a9d9da32bb 6485 228
Forfiles Command Execution Tim Rauch, Elastic, E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community Sigma Integrated Rule Set (GitHub) 1b7c75c23f2baad2051b96c094a3e6fd1d3f27a92c0518c2cfd7257229c57a72 6484 267
Suspicious Non-Browser Network Communication With Telegram API Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 620d128e8f298b86625bd4b6ab76260ff98ffad8b0d6548b49c657f4d01e86f7 6439 117
Suspicious Ping/Del Command Combination Ilya Krestinichev Sigma Integrated Rule Set (GitHub) 2e58fcf707ea25a6c7465ae2a0d4b35ff302cceb7b8fde4ac5d3467d832e005e 6353 354
Suspicious PowerShell WindowStyle Option frack113, Tim Shelton (fp AWS) Sigma Integrated Rule Set (GitHub) 5e2ea8c055dd73ea66238735323d0318c2a6c114047137146357b85f764b1101 6350 1036
RegAsm.EXE Initiating Network Connection To Public IP frack113 Sigma Integrated Rule Set (GitHub) 81c972054a5e1474e4f1c5fa062e0edf91def5320cf378710282b2a4cf840e3d 6274 14
Base64 Encoded PowerShell Command Detected Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) e75e9983c2277304aa1294c0b077a3139a8405cd1661ccf513a6c05a002acacf 6150 127
Windows Screen Capture with CopyFromScreen frack113 Sigma Integrated Rule Set (GitHub) f8a626af728b3adf32c5a523da76b149e1f41d45e55c4f3b2cb7895c3920b449 6102 657
Suspicious Schtasks Schedule Types Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 83e48c48a7932749737a7bd38f5caa95e168e9a37a1d0730ffa0349f567f2895 6101 176
Suspicious comandline paramethers(shellcode in the command line) Den Iuzvyk SOC Prime Threat Detection Marketplace c6bf20aec5b9dd748265363c7d01846ca0a5fc666f1114770a8bb7f5e764e4e2 6008 5285
Blackbyte Ransomware Registry frack113 Sigma Integrated Rule Set (GitHub) afd6cd2469ae4639e99a5087deaf57ed3032b6c807da7fb2ff4ccb5eb58c3582 5969 378
Regsvr32 Anomaly Florian Roth (Nextron Systems), oscd.community, Tim Shelton Sigma Integrated Rule Set (GitHub) 455818bf9dc4423de74cdfa396a0735e0fd29acee7f47632575decb468b11cb5 5935 1223
NanoCore Joe Security Joe Security Rule Set (GitHub) 270a1fb968dc6493ee107a0a5e9afce805af2cd2d8675f58a02c418e36821076 5905 1
Remcos Joe Security Joe Security Rule Set (GitHub) b50b6d86173debc4d608b981e7d6b5136092c515286d20c0eafcce3b7c411dde 5900 20
Potential Persistence Via App Paths Default Property Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) cef4d3e30776e7c2f6f9875e0ccd23b74182701da04f922481d50f37c50281d2 5892 1999
Potentially Suspicious Execution From Tmp Folder Joseliyo Sanchez, @Joseliyo_Jstnk Sigma Integrated Rule Set (GitHub) b8017658b8eef8b1293176d76212e600b660d0a36a4f5dc80141324fae360bbf 5882 4187
Scripting/CommandLine Process Spawned Regsvr32 Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 3c839a03f4fc9d7988e0debb79087dea4e4584fa05c3ee8cd7aad8c037b505cf 5806 1992
Files Added To An Archive Using Rar.EXE Timur Zinniatullin, E.M. Anhaus, oscd.community Sigma Integrated Rule Set (GitHub) e5fedf5f2a45c0555943282d3dd05186495acc374df19f7735f92d6d648dd1bb 5800 2
Remote Access Tool - Anydesk Execution From Suspicious Folder Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) e8f71f8fe8e705cebda4bbb0636db89fdd3c7b9c2faebe19bac1e6d0d6db37c5 5719 1987
MacOS Scripting Interpreter AppleScript Alejandro Ortuno, oscd.community Sigma Integrated Rule Set (GitHub) 6ecd0ccd55a70b96ebb8ad35b9fc18b56f99fdae0b1c2d235ba3300b9457b516 5715 1132
Suspicious Invoke-WebRequest Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 56fe16e9bd72e77ff37f1ceaab3ee67231b676c732b7ff10556298e7a60590e7 5640 1006
Potential Goopdate.DLL Sideloading X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 5e22ec775af6cbc5059b6f7e9228ad35176019128d402f817de8f1d74a4608ba 5636 2540
Rar Usage with Password and Compression Level @ROxPinTeddy Sigma Integrated Rule Set (GitHub) 02930d34935e0616b2711790272271498e2a5a03bcf66372f0985d2e89cee1af 5602 1
Prefetch File Deleted Cedric MAURUGEON Sigma Integrated Rule Set (GitHub) c865945cbecb1d16e71f70bbaf2926d63799a2a7a109ded595203301bc777f0d 5572 70
Shell32 DLL Execution in Suspicious Directory Christian Burkard (Nextron Systems) Sigma Integrated Rule Set (GitHub) fbd6086058f7f1742827e4bf39c6a7b3d7cc32120c2f2cd39a924363da2fe8f6 5444 7
HackTool - CrackMapExec PowerShell Obfuscation Thomas Patzke Sigma Integrated Rule Set (GitHub) c5f36e07dfb01984d08d19db1fe7f194936f079b371ab900d58eff493b972744 5417 278
Valak Behavior (Sysmon and Cmdline) Ariel Millahuel SOC Prime Threat Detection Marketplace 95388dc52565d97f01bb478463530fac5eb3a7197bbf17fccbd415b4a10a7055 5413 244
Potential Persistence Via Microsoft Office Startup Folder Max Altgelt (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) b52847695c6477e59d07e791f5afc7389180b1087054b513284bdbadfe15f22c 5404 81
New Process Created Via Taskmgr.EXE Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) bd4c20ecc3fa26779f917ddf7cd594af5a64805084e11c2a680ade82d77b01ed 5389 8
UNC2452 Process Creation Patterns Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) f282a8660328d20195770b77f51561e6885408fc2136a6916d0380839cf39301 5322 107
Process Initiated Network Connection To Ngrok Domain Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 0aaab6e75614dc39c58e45ef5b3a7f0a1e455ace3bb9041e837370214a92ef58 5268 28
Application Removed Via Wmic.EXE frack113 Sigma Integrated Rule Set (GitHub) 51aa013b39842efa6b0daa94240755c0d8b9d7b71b5cf5cc482247a3c7b8bc57 5188 644
Cmd.EXE Missing Space Characters Execution Anomaly Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 4bb625c721776edc38f264e032f4677eecbdd60e011a95fa267baee02fc262c4 5128 189
Uncommon File Created In Office Startup Folder frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) f441bf0f20310d2f8fb4c38b047725cf9bafb59c2a7634f73d2d38745157b248 5117 96
CMSTP UAC Bypass via COM Object Access Nik Seetharaman, Christian Burkard (Nextron Systems) Sigma Integrated Rule Set (GitHub) a30845acd045e920f165087e59ac6d9461f6c4bfadfa52e4c518e3bcb9d8cb0c 5074 46
Terminate Linux Process Via Kill Tuan Le (NCSGroup) Sigma Integrated Rule Set (GitHub) 51b34db929db2298b58d76a0d73976f3d729eca95d9b480b9513bd0cea6a1d6d 5050 2487
Local System Accounts Discovery - MacOs Alejandro Ortuno, oscd.community Sigma Integrated Rule Set (GitHub) e73eb94c02ee03d3d629b3d54b02d2cf6c9b1dab8a7831ba27d8da0c88755c94 5020 4626
Suspicious LNK Double Extension File Created Nasreddine Bencherchali (Nextron Systems), frack113 Sigma Integrated Rule Set (GitHub) a22ff20d7afa397abe4e6127e6da647b437781be86602fc20a88c1403f1200bc 5001 1084
Curl Usage on Linux Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) e576f496b0ac03c619b88124a419d2c717d3f5e3f5506a17e145443091bda155 4998 2150
System Network Connections Discovery Via Net.EXE frack113 Sigma Integrated Rule Set (GitHub) 90412c9cf799f0ce454d95cf6bdbef8b1264fbcde3cd6b065ae6aee265882a86 4972 966
Unsigned Module Loaded by ClickOnce Application @SerkinValery Sigma Integrated Rule Set (GitHub) 096069eef3be20474fe171accead2e8d072767682ea5ca1388ac7af2510839cc 4917 485
Parent in Public Folder Suspicious Process Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 84c8381801022afb55be7429db7a75474adba79984c4b957f33c62e931b0f282 4908 64
Potential Wazuh Security Platform DLL Sideloading X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) 747c341b87a90e6e095cbfc8c895fbb8cf733b203dd8db9f7875d676842d4e8f 4899 737
Too Long PowerShell Commandlines oscd.community, Natalia Shornikova Sigma Integrated Rule Set (GitHub) 4b2c1a09ad8532fd7bf380feea00e848eb5daf3d246d1f4dac0ef853f29bc01c 4828 147
Potential Persistence Via Custom Protocol Handler Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) fcefc4dad7b57e9c907b45137814caa77a11a27696712eecc68d4c6fbdb24786 4799 2414
Delete shadow copy via WMIC Joe Security Joe Security Rule Set (GitHub) be6d29855558a0e8c404486d8f1838ce35594866f126f9c1c62a9792e9c76be2 4762 13
LOLBAS rundll32 with unexpected forward slash paths (via cmdline) SOC Prime Team, @SBousseaden SOC Prime Threat Detection Marketplace 4df0b9d85eb21989ce009f134a8fae2edde67a305237b09a9daae0c40abae0ac 4744 2100
Renamed AutoIt Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 1a5f94b3f0a2443e387f9e068328d36b28cf001899d3d0ccdc05243849ccd380 4728 186
LOLBAS conhost.exe (via cmdline) SOC Prime Team SOC Prime Threat Detection Marketplace b29d2dfc7edb1018f0384c6a0606a6f59a25bb2e9e1ff8a0fa4bad79d7d4121e 4667 106
Remote Access Tool - AnyDesk Execution frack113 Sigma Integrated Rule Set (GitHub) 0c4da16b3166fbd90cadb96254a8be0f74828fc4eb967256ac0483d9d0a10a96 4629 1599
Potential WWlib.DLL Sideloading X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) acfdd695b50334901b76498dea74721b8b3767958af4dfdb031aebc613d6ff72 4597 2299
Zip A Folder With PowerShell For Staging In Temp - PowerShell Script Nasreddine Bencherchali (Nextron Systems), frack113 Sigma Integrated Rule Set (GitHub) 4f19758bce122aae71a356110cf88e95df101e099a2b95e2472e44201244475d 4578 61
Local System Accounts Discovery - Linux Alejandro Ortuno, oscd.community Sigma Integrated Rule Set (GitHub) db147f594af74bbd5641cf034cfa4ce699110ac6712abb1062141aefe2d13704 4577 3954
Windows Defender Definition Files Removed frack113 Sigma Integrated Rule Set (GitHub) bde07bc9414d410eaf67f99408a24b51b4b8d186451e641a9a90076cfac22613 4534 16
Suspicious Command Patterns In Scheduled Task Creation Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) c6cac3013982f7f078cbf7fdc49b83f80fe4377b7ba4434f2533c34c98a85608 4533 384
Gzip Archive Decode Via PowerShell Hieu Tran Sigma Integrated Rule Set (GitHub) 0df382f7e3b997a4d0a5cf1e3096ed303ea8bef29d4a223899b1bd70c251bc33 4523 817
UAC Bypass via ICMLuaUtil Florian Roth (Nextron Systems), Elastic (idea) Sigma Integrated Rule Set (GitHub) 2219766fcc5e77936dbd9b7310a20b2ba3f5b4aac858c6ac312c81fcc2838d4a 4522 46
Suspicious Mshta.EXE Execution Patterns Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 31e1f4457871d51593456a4331811513af82fe4e36d2b26a582dd6baa180a91d 4491 585
PowerShell Download Pattern Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro Sigma Integrated Rule Set (GitHub) 24c9049c81b149aa4537cce166e36f3697878dcdad3fab8b662889d154056d7c 4486 425
Execute DLL with spoofed extension Joe Security Joe Security Rule Set (GitHub) 90c63349e180656f865f6206a06dbee57bd3226b32eb61fba3e6c7c4452d4e1d 4443 1297
Whoami Utility Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 4f50c176af3c65d3b67381b2eb36baf45f7c58aa2934ba1b9d94703fb60d977c 4393 2118
Creation Of a Suspicious ADS File Outside a Browser Download frack113 Sigma Integrated Rule Set (GitHub) c73db505c48b84558f4676b0613f79f5cc2c70db3a96086c3a010c535c245530 4387 410
Potential Mpclient.DLL Sideloading Via Defender Binaries Bhabesh Raj Sigma Integrated Rule Set (GitHub) 3a9cafc6a4cdfee1d351b5145ef1b7d6a64e707b04945a9fa54298173b7eaa64 4383 262
Sticky Key Like Backdoor Usage - Registry Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community Sigma Integrated Rule Set (GitHub) dd211e6e9cebdae07f1d14d61650061c791829402d134a1a9e064ae72b6c4cd9 4323 23
Renamed NetSupport RAT Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) fede1c0268e88b6a7ec369e9c62c124a24ab5c7f9adc969af706be5000e0e8c1 4273 413
Firewall Disabled via Netsh.EXE Fatih Sirin Sigma Integrated Rule Set (GitHub) 5a783ec4b26d8a6276f21c1226c5896266e2591f44f079ca9950892310b00429 4214 423
Wscript Shell Run In CommandLine Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 83ab725e0e176c0c59e352231c53ea9aca280a122aaa1c79b3ac8cd955147dab 4213 163
Drops fake system file at system root drive Joe Security Joe Security Rule Set (GitHub) 4754f502f65f5684ed3a2e0c3b8615d89d16535a2ad1fe25ac93f82423267ae1 4152 1
DNS Server Discovery Via LDAP Query frack113 Sigma Integrated Rule Set (GitHub) 16b459cba08f0827ee9607be238b1582dfd3717c30b129b5f215736d5a3c3e1b 4149 827
Suspicious Driver Install by pnputil.exe Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) 8fd9d688a4929d85f6ba829ccf0fe235ff5f6bcc6ac25306e6425671b81eaa80 4076 3347
Potential Homoglyph Attack Using Lookalike Characters Micah Babinski, @micahbabinski Sigma Integrated Rule Set (GitHub) a2dffac0fcddbca9dddd5b57f9a9841ae8948007b05988ff3ba4b101da5fcc45 3975 290
System Information Discovery Using System_Profiler Stephen Lincoln `@slincoln_aiq` (AttackIQ) Sigma Integrated Rule Set (GitHub) 52daf4142ede041cf96ed7f183802efd774d9000b614dad0ea8cce461bedeb6f 3846 1145
Installation of TeamViewer Desktop frack113 Sigma Integrated Rule Set (GitHub) 2495a5176f32a1fe533956bb584ac28d8b3080d4d27a4a91f60fcf3c24bbfabe 3839 3402
NjRat Detection Rule Ariel Millahuel SOC Prime Threat Detection Marketplace 44649563045e4b39ea5ec24c20ca7aa44cde80384aa9b3de04a8bb30862d934e 3820 0
Uncommon PowerShell Hosts Roberto Rodriguez @Cyb3rWard0g Sigma Integrated Rule Set (GitHub) 87ff9045efc87047afd66230a3eaf7e4306b89e3d232cfa7c9307b4481ef76c0 3722 425
PowerShell Script Run in AppData Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community Sigma Integrated Rule Set (GitHub) 4975d97d556849fe2e336bf1c8a5012b84eefe1d4059c527aaa8ec3f903022b2 3710 1022
Service Registry Key Deleted Via Reg.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 024bac7758bc9b41b74cd867afe686054dabf2eddd7128488f92797af3459361 3660 372
Windows Share Mount Via Net.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 9816ac44605bf8e1595ecff4424e6d78357aaa8449a03737687a18866b736909 3594 680
WinSock2 Autorun Keys Modification Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) Sigma Integrated Rule Set (GitHub) 688632515df3a00cecdf2ee4e9316bea52edf73c9cb0889c10d336de857c293c 3592 319
File Dropped By EQNEDT32EXE Joe Security Joe Security Rule Set (GitHub) 4740c645e33c5fbe1595ad953f030f0aa29f78fcbd141282536d02587eb05d0f 3507 2
New Root or CA or AuthRoot Certificate to Store frack113 Sigma Integrated Rule Set (GitHub) 924e45f65b58d749e29df4b23b32058847bb1b15673ee93b0f9a0fc94359b19b 3473 2050
SC.EXE Query Execution frack113 Sigma Integrated Rule Set (GitHub) 373890127a34a7d314b3d10d451aaacb806579ec3e9ed2515dbdd0a4d4bf7860 3383 1056
Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet Nasreddine Bencherchali (Nextron Systems), frack113 Sigma Integrated Rule Set (GitHub) f9da722f2b9be68744c84591d71fc78f53410669a0b7da802cb3abdb56d3fd72 3380 6
DotNET Assembly DLL Loaded Via Office Application Antonlovesdnb Sigma Integrated Rule Set (GitHub) df9179ffc950a7d9549e0d76b5a95a94d3b366fcfde63b70a6b7a7215d0d97b5 3296 2749
Potential Persistence Via Logon Scripts - CommandLine Tom Ueltschi (@c_APT_ure) Sigma Integrated Rule Set (GitHub) 931dce221464a1df97b4bd50fa971fea5b71093af0032d4e392a2f74e9bab9c1 3282 7
CLR DLL Loaded Via Office Applications Antonlovesdnb Sigma Integrated Rule Set (GitHub) 6362c65a14d81807ed78ab9e2fa99fbb546c067d39b3b63846c820e5c401e2e3 3263 2748
Creation of an WerFault.exe in Unusual Folder frack113 Sigma Integrated Rule Set (GitHub) 4469b0111d1f4747a00542caf4ceadd719bff3e7e6e21793e9446d294be895bb 3208 231
Office Macros Warning Disabled Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) c343cc005c090768ceeda7de8ee3ac77e284a81d14c5a803a4fe3a2cab1e3f83 3181 17
Suspicious Process Execution From Fake Recycle.Bin Folder X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) ef5803d60821ec99134c6c0fa0bd37ea1e0948d9f28c15324a15eee9929e4f34 3163 2
Potential PowerShell Obfuscation Via Reversed Commands Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton Sigma Integrated Rule Set (GitHub) 474582c275339926ac17574ab90c8246d89014d6b66a4312e8e3edb7277ffba0 3154 299
Suspicious Non PowerShell WSMAN COM Provider Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) Sigma Integrated Rule Set (GitHub) b42a14d4eb96ec45f6bc9ca190be91d043f6ead5ff998b704aabb76605041d4b 3136 276
Potential PowerShell Command Line Obfuscation Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp) Sigma Integrated Rule Set (GitHub) e6fdb32f143bba16a3ea06247ced55b7b90f8b5b5c6c26ddb95cdcf23908af8a 3121 243
Droppers Exploiting CVE-2017-11882 Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) ea2bef709a3e478516f914938492950992d22f0077ede5a561e60f2c092f4dec 3089 801
Potentially Suspicious GoogleUpdate Child Process Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 09412b30e562e2ce76bfde7b363c711eb8d82f225e5c33b969989c68181d63c4 3086 927
Legitimate Application Dropped Archive frack113, Florian Roth Sigma Integrated Rule Set (GitHub) 0b57c6b31ce9eea5f85c018839666b92eb3444ccbb55a5d93f7b89a74cb7daf6 3036 2447
Potential Execution of Sysinternals Tools Markus Neis Sigma Integrated Rule Set (GitHub) c718a898b26d6c8f64602f1b33c49df17864599a9ba4a879a1ac22848dbda174 3031 481
New Lolbin Process by Office Applications Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Michael Haag, Christopher Peacock @securepeacock (Update), SCYTHE @scythe_io (Update) Sigma Integrated Rule Set (GitHub) 8a45e61fc1757825afcd5eca531a7940c6b8fd8ed95faee7b3ea517339e0ee17 2999 19
Suspicious Execution of Shutdown frack113 Sigma Integrated Rule Set (GitHub) 157ee4e95270f64481c50464c0e4766830e1e2b38b214a98f9e3f977857c6c69 2924 529
PowerShell Script Dropped Via PowerShell.EXE frack113 Sigma Integrated Rule Set (GitHub) 7cf0b126730658e7c96da1ae0b63c1bb84154a239ca32c09909963038dfdcacf 2919 687
Potential Configuration And Service Reconnaissance Via Reg.EXE Timur Zinniatullin, oscd.community Sigma Integrated Rule Set (GitHub) 218d6661cbefbe4342fb5e6f0aa14df5602a3a39691bb19b246644804e6d341f 2913 614
Suspicious Scan Loop Network frack113 Sigma Integrated Rule Set (GitHub) 14d137deb681ad845cc2e1992b2e9cb3490ddb1372d62da747f4042d7e6b87b0 2908 260
Powershell Execute Batch Script frack113 Sigma Integrated Rule Set (GitHub) ece68c3b6fda1fe5c7d8707c5dd9099cf564ed0e7e7b480e97278c475f10e5a7 2904 1359
Firewall Configuration Discovery Via Netsh.EXE frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' Sigma Integrated Rule Set (GitHub) 25c7926ea5dfde7ab41cd4aeebfb89e01d4dcb8b7243522af4f643f690d857c7 2867 335
Suspicious Execution of Hostname frack113 Sigma Integrated Rule Set (GitHub) 87d10b87f13ab6dd0ee17c311d476bcf6fce51f746e639542c1c6c08b6ae8071 2862 791
Potential Windows Defender Tampering Via Wmic.EXE frack113 Sigma Integrated Rule Set (GitHub) 3ba90b1c0830dec1dbbd2f42eb503552860963d25a6bbe081b92875c243be50d 2860 13
Boot Configuration Tampering Via Bcdedit.EXE E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community Sigma Integrated Rule Set (GitHub) 2da0b3cba5dc2b56e1426049598590c54a224e6d15740b9b07c108e089c84520 2803 46
Potential Crypto Mining Activity Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 6bbafdf03b2a79de4fa71f3fec777333b907de6172939c7a35b5bed23d4a4b82 2801 9
Powershell Download and Execute IEX Joe Security Joe Security Rule Set (GitHub) 317ff64a1d49452191210f7b55d7201e483352440ec851a9c716f6be7cfb7ec9 2782 117
Ie4uinit Lolbin Use From Invalid Path frack113 Sigma Integrated Rule Set (GitHub) 186b21df711a2c225bc97a789a6794326e96247d7982569c6a23484bb7fd61fa 2750 726
Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell Markus Neis @Karneades Sigma Integrated Rule Set (GitHub) 1ca8739651295d88708cb5ddfb7a115ae0d202152a80ee4c7871e62f3509c938 2732 17
Proxy Execution Via Explorer.exe Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative Sigma Integrated Rule Set (GitHub) b32b8c78e20435f731c3241fbfb6354a0b9f86ec81cc5ee202e0f0cf13bf110c 2718 397
Powershell Decrypt And Execute Base64 Data Joe Security Joe Security Rule Set (GitHub) d77da6b7c1a6f6530b4eb82ca84407ff02947b235ab29c94eade944c4f51e499 2713 4
Malicious PowerShell Keywords Sean Metcalf (source), Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 5bd56545b7e384edee75e378b7ee025e05f6bcb012607cb6425ccedd54fdb070 2706 295
Add DisallowRun Execution to Registry frack113 Sigma Integrated Rule Set (GitHub) aaeb77150a9427eedfb3c4c85538e120e703cd22905d020b93856bb7ebdb03a7 2686 14
Conhost Spawned By Uncommon Parent Process Tim Rauch, Elastic (idea) Sigma Integrated Rule Set (GitHub) 6f60707627a0617e86bd3005d8ce73a34fa6e674c0169d593509953d67bfaa2e 2676 340
Service Reconnaissance Via Wmic.EXE frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) d9ee3f478c792e1c6683bb60949d7041271eaeee5e5927b518a6f65e7da2607e 2637 289
DNS Query Tor .Onion Address - Sysmon frack113 Sigma Integrated Rule Set (GitHub) 674f76f777472c9d2fd1dbb116a9a1a6bf35dac71c41ca14a21ac0493d7f471c 2612 156
Potential Suspicious Change To Sensitive/Critical Files @d4ns4n_ (Wuerth-Phoenix) Sigma Integrated Rule Set (GitHub) eb81e21bcba6fa7eb54dbacb299fbd6d9409d1f0a91735cb19dae4620da3620a 2604 2548
Suspicious Program Names Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 3dd877e77def39df894b8703b956bdc819796feea2cf44bef9f73339d5a37b5c 2553 163
Suspicious File Creation In Uncommon AppData Folder Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 8c035500d22804f658be72a55a2b5d591891e0a77e57447d0f0c6f62f89e9ade 2548 58
Always Install Elevated Windows Installer Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community Sigma Integrated Rule Set (GitHub) b7188ffaa64031d83c409b5110885c29570d52a6ba3bacaee0392371cf071016 2546 1340
Registry Hide Function from User frack113 Sigma Integrated Rule Set (GitHub) 82ee39002b5715b57e2aa8b1d93068fa1c6e7147795a59563c5812d827f7f3de 2535 16
DNS Query for Anonfiles.com Domain - Sysmon pH-T (Nextron Systems) Sigma Integrated Rule Set (GitHub) 21c4870bc492f9b979f795cb98b5fd283fad4043432a9c3cd239097f04e945ee 2512 15
PowerShell DownloadFile Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) f0282b9dc90a1761ed8cfb90b52bc5f53c2c8ccbff1ca29790e8d17c7eae56dd 2512 245
AspNetCompiler Execution frack113 Sigma Integrated Rule Set (GitHub) c72e2995683af253e803fa2fe4fb02eab21f864cf7e63657b4c1f5a21e5cd421 2494 7
Potential Suspicious Registry File Imported Via Reg.EXE frack113, Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) 7c610f9de41fe35b34a2cbbdb30ffc39573016dafe890f4164dae07613c21fd7 2494 785
Stop EventLog Joe Security Joe Security Rule Set (GitHub) 35db6f1fe683cbacad6aa4943d1220e844a15d069404bd602fa782a2ff05ea1c 2486 3
Renamed Powershell Under Powershell Channel Harish Segar, frack113 Sigma Integrated Rule Set (GitHub) a470fbf97e0f7a4d42fd59ad6332c7521f57d919e725bc61c84ea7ee2e451426 2483 379
Share And Session Enumeration Using Net.EXE Endgame, JHasenbusch (ported for oscd.community) Sigma Integrated Rule Set (GitHub) 7cb4a3985bd24a137550fa4c49b1da3fb949c3cf182a90950438e97aaad46378 2452 503
Suspicious Extexport Execution frack113 Sigma Integrated Rule Set (GitHub) 942c07d4243aed525402c1e4e2f9880b477ba72abc7023c30c9c10737399e077 2448 94
Suspicious Windows Defender Registry Key Tampering Via Reg.EXE Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 624e5e799c1829ffc2199cdf5c7bc356cfb6da8137626ea544cdeaa8ee1d5c75 2439 75
Vulnerable Driver Load By Name Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 01bc5b8a84214e476feda4fcc9c76cd6f44b3306dc67b15f214bc791497235f0 2434 886
Cscript/Wscript Uncommon Script Extension Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 1168f1f8b0347e370d4f049726cef5752fdd4db77ea2e8f33d611739f3257b7c 2428 149
Use of UltraVNC Remote Access Software frack113 Sigma Integrated Rule Set (GitHub) b6d588df62f37e97081e8f05b809fb56a925b1514f359dca67c7b51fe46c6812 2422 398
Silenttrinity Stager Msbuild Activity Kiran kumar s, oscd.community Sigma Integrated Rule Set (GitHub) 6a6afb8a168ede702164bc1169f8f046647310ca518ed5dd776966148a0e9532 2413 8
Firewall Rule Update Via Netsh.EXE X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) 8984d13764576549e824707eeafa56e2bc51d0ba2e3cccdb362a5dc69926c991 2406 335
Powerup Write Hijack DLL Subhash Popuri (@pbssubhash) Sigma Integrated Rule Set (GitHub) c50b384b3d0f5d468c48abf6ac8fd6095727405ed00d170aeadf0fc1b4add34b 2390 519
Powershell download and load assembly Joe Security Joe Security Rule Set (GitHub) 32fcfd50f2fcf0aa58bebfbfb09b7e32b7349a17a5c1aaea5b18783f458c4e9d 2361 11
Suspicious PowerShell Parent Process Teymur Kheirkhabarov, Harish Segar Sigma Integrated Rule Set (GitHub) a4d012f0f7c21ebed94f8e82f4910702fcbcd9d21bf70e4b1b039f48970d1bbc 2344 215
PowerShell Script With File Upload Capabilities frack113 Sigma Integrated Rule Set (GitHub) 80e1441e8251586c742da610b4bceb4d94fbe79f4e8b64b9745b6a11da90d7c1 2322 738
Wab Execution From Non Default Location Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) ee4aa57ce6316f4a46bc9e62a1748e7d5d687ad6315114f4d4eff654910c961c 2305 229
Sakula RAT Ariel Millahuel SOC Prime Threat Detection Marketplace 68a19d3c88378331526d97065cc73f033a6ff79b1ebd046f7d815d967bd2dd69 2276 0
Legitimate Application Dropped Script frack113, Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2d15bc5d08223728e30ed4330ad99024b1467ac8ddb073e7ed368b0468898e80 2268 303
Possible new Cobalt Strike dropper Ariel Millahuel SOC Prime Threat Detection Marketplace 3cb32dc8f1ba61964f235761eac5b49d22264f521e003ce641a508eaff8d0eec 2248 535
System Information Discovery Using sw_vers Joseliyo Sanchez, @Joseliyo_Jstnk Sigma Integrated Rule Set (GitHub) 2ccb76001b1d9e10e5bfde545cebc203b585a87dfae5be9eaefcbd6d2e0a1c54 2244 1771
Set Suspicious Files as System Files Using Attrib.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) afdcecbde34527044e8c4c24e502ed3dfae6daa2d07665ad18226afff77ed6fe 2240 56
Usage of Renamed Sysinternals Tools - RegistrySet Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 96f6bdacbe2704258d0efb6732980de5d8c8fb4c21f34072ec9e4e2267271ec0 2236 190
Registry Modification Via Regini.EXE Eli Salem, Sander Wiebing, oscd.community Sigma Integrated Rule Set (GitHub) 876619ed554fa68bef3ccfc88d359efb8c1f05d0781e13279ff3c4ff29f4989d 2220 259
Set autostart key via New-ItemProperty Cmdlet Joe Security Joe Security Rule Set (GitHub) 20d65fc22a4ca2deedfc3a40bcfd0522766c18fa1ebd190b9d8fd068ee94ec0b 2214 11
Vulnerable Driver Load By Name Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 8f6a6cfb95501925772edc51e1db78dd76eea0e212ed3a9923b1a0de9d552371 2203 621
Suspicious PowerShell Download and Execute Pattern Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) bdb4652f83b1c4482478b0c14bcb08d332fcd600a7303ab1c709c543499be726 2193 97
UAC Bypass via Event Viewer Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) c7f53a29488cdfc8b3ab7ecb4699f5c655615954b2d1ff9209e2dba026e30dbc 2189 0
Trickbot Malware Activity Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 1c7a83aaaaf300f7e44e597465797c7e812cc0c684756d1be37d0ac7acf0dc5c 2130 0
Regsvr32 Execution From Highly Suspicious Location Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 6c6985a0a641b52c4f0f82f7c86c62603a68482d3a2dd76787a91435f6022c75 2117 707
IE Change Domain Zone frack113 Sigma Integrated Rule Set (GitHub) 1fd27acf648f3f73802533ae95c6e367de8eb32fe05e9d3b52913ec54401a5ca 2115 608
New Root Certificate Installed Via Certutil.EXE oscd.community, @redcanary, Zach Stanford @svch0st Sigma Integrated Rule Set (GitHub) 7e27ad096cfe35b247261a88a0082eb1feb9c110817bfc4774f404f8f2958328 2112 446
Suspicious Creation TXT File in User Desktop frack113 Sigma Integrated Rule Set (GitHub) 965125e7c09a79de6429b9218659a7c8785c989273642091a7ebae3bfbe920c1 2108 1242
Browser Started with Remote Debugging pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 4eba2a7f729f2c02ec972ed01919c8bf5d2b8493f9d6a934f14cf0d3a55d14db 2065 264
Curl Download And Execute Combination Sreeman, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 78dc71a5599dc85b3d37a6ab0f014aa5110b2ce1b2346c8f2730e0c481977781 2054 66
COM Hijacking via TreatAs frack113 Sigma Integrated Rule Set (GitHub) 849823df2c9dd0af3b0d2474c1008165e48a5accc0c613e62140502a1eb678d8 2049 1010
Suspicious Recursive Takeown frack113 Sigma Integrated Rule Set (GitHub) f3043e9cf491489279145a8ffefa67bbe2fc398be8117092c11cdfdc2f9768e7 2039 1196
Suspicious Msiexec Quiet Install From Remote Location Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 62641a1f33f67c78cb5f920f86788ab9e084dd90a20f1bbe56bd0de87f85b129 2032 338
Insecure Transfer Via Curl.EXE X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) 77ecce5ea77940e3b7b82f2766d696c4bf16f75a458c3ddfe650f26d4475fa74 2022 320
Whoami.EXE Execution Anomaly Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 05b85f64fdf521b059aab9daf9d75829fa4a5febd27fe09ac0224e405b57a654 2018 210
Suspicious MSHTA Child Process Michael Haag Sigma Integrated Rule Set (GitHub) b9bc90b7745bcb3a2cf9de40d1d419d18ead6650040015c7f4755848e9bfdb05 2004 326
Python Inline Command Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 4eb25eff0b4d84652480301d5845b79be20cecc54ff18737ad9fde16370bcb4a 1997 1152
Potential Encoded PowerShell Patterns In CommandLine Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton Sigma Integrated Rule Set (GitHub) 157d3e7415430b97001871f8aecb592075581e05187450141e56c252318f2b26 1993 312
Quasar Joe Security Joe Security Rule Set (GitHub) 295f36b4fe50737f7d27a3862ea45297f78efdf77ab2decd501b4a852765ceaf 1987 9
Unauthorized System Time Modification @neu5ron Sigma Integrated Rule Set (GitHub) fd18f89d9ade39f1b15ef9cc31ce8423991e3c873567ec9edc2cb1a45ac79f69 1934 447
Dllhost.EXE Execution Anomaly Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 55e193a1988b8c8a7a5a6a43dd2962320dedbc26a63c88ad59d1df2fa6897da6 1920 5
Suspicious Group And Account Reconnaissance Activity Using Net.EXE Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 6782835a8af9329207a47fe5076c3dff20a8803bafbda97ddc938ae379eaf8df 1910 135
Copying Sensitive Files with Credential Data Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) 8712e0baf2cbfba40ac1ad1854da93829b0f78d6eba117de03912aa985d46a79 1878 5
User Added to Local Administrators Group Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) fd4f9d3b927e38cad7f6a36f5f41cae6a1450b551d9506408259953d8d4ee23d 1877 210
Suspicious PFX File Creation Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) Sigma Integrated Rule Set (GitHub) ec56e35983955cbc753846d06d67ba2cf88a10a498711ceb84afe1322ca958a1 1869 1007
Extracting Information with PowerShell frack113 Sigma Integrated Rule Set (GitHub) 4e243e6a618f306cfd754df3b30132c4fa518c4ad26b6d755244064cd3110b0f 1852 1038
Abused Debug Privilege by Arbitrary Parent Processes Semanur Guneysu @semanurtg, oscd.community Sigma Integrated Rule Set (GitHub) 9d455dd5e2e653e4afbec915a896019f9ca31a26fba6e2ba47b2a380780ed090 1840 20
Activate Suppression of Windows Security Center Notifications frack113 Sigma Integrated Rule Set (GitHub) 3729c929acbee7cae1291d3e460c3e673684211679e8a94cbd1297192aafdd06 1835 4
Suspicious Rundll32 Setupapi.dll Activity Konstantin Grishchenko, oscd.community Sigma Integrated Rule Set (GitHub) f85bfb745e5bbdd54cf800d8d7e40f16b02685138c13830986a050536d69aa0d 1834 435
Powershell adding suspicious path to exclusion list Joe Security Joe Security Rule Set (GitHub) d933fed60e38128e7e3586361ae42b885a5285e04ab14da997282550a77a9059 1827 274
Renamed AutoHotkey.EXE Execution Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) faa3bfbb393e061fd71e00b73b6f984037d3a2b68f4e57eb09b3de8ccd76fd1e 1822 40
RunDLL32 Spawning Explorer elhoim, CD_ROM_ Sigma Integrated Rule Set (GitHub) ac298c53d8d1f5e60dfe82fb023ca044b4a7477be65c3b5eab997e0e9cf64528 1813 205
CMSTP Execution Registry Event Nik Seetharaman Sigma Integrated Rule Set (GitHub) ffeb4d256edb1234faf30da37a584025d92817eb5a21c5394c4c6d78e3922d95 1809 32
Rundll32 InstallScreenSaver Execution Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec Sigma Integrated Rule Set (GitHub) e6082733e3e0087a0d92bb4d25eb43218d2a86b3681b4d5ee37ab8c2e6ecde4d 1797 585
Disable Important Scheduled Task frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 09601976d693769f1fe442a0618410420380d7de7aeec4e52c0ebe6e3ebebe56 1786 109
Potential Emotet Activity Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) ada08103432e4112d167b1d10f0fc02281936c8fcb181de17d5bca07755bac84 1784 2
Uncommon One Time Only Scheduled Task At 00:00 pH-T (Nextron Systems) Sigma Integrated Rule Set (GitHub) 85cd399008ef4733657024eb14bcee01c9eda5cb5a070f2f186550293ebe4d29 1779 52
Dumping of Sensitive Hives Via Reg.EXE Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113 Sigma Integrated Rule Set (GitHub) 4caa5ae7b301d0b7382caf525ab9dead072ea9efadc1f7cc59d8a59c20b0fe57 1755 613
Powershell download payload from hardcoded c2 list Joe Security Joe Security Rule Set (GitHub) 5c6454bb6fd16d176798dcb8685eabffc5295c27b7c2c471512f66343a885a24 1734 9
Invoke-Obfuscation STDIN+ Launcher Jonathan Cheong, oscd.community Sigma Integrated Rule Set (GitHub) fddefdc90062c691bc46bba8afb5fc6b455c1d7141337a963441437d5355a6c4 1722 28
System Information Discovery Via Wmic.EXE Joseliyo Sanchez, @Joseliyo_Jstnk Sigma Integrated Rule Set (GitHub) 323231f5fffc92ef7ff7f631c4c88594149ee8841ff32c3c742054b37f17e6ae 1720 173
Suspicious Volume Shadow Copy VSS_PS.dll Load Markus Neis, @markus_neis Sigma Integrated Rule Set (GitHub) 90a2634e64f0a02343bf17b797e3d249061fdee81d36e5dac2d8e3fe2a2df280 1705 120
PowerShell Base64 Encoded FromBase64String Cmdlet Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) b079b9bebaa7ac01f379d6d83aa123ec20bc9068b9a097e09aec5f87b42d91d1 1701 80
Remotely Hosted HTA File Executed Via Mshta.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 25fb50db6056bc3db5e2f3d8d53b6ef8b6fad41ac3ecaf0386e316bd1711baf0 1700 84
Dfsvc.EXE Network Connection To Uncommon Ports Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 1d7a62dc09883785488daa6144af5d9bfda250d5660d8c6978c160b54a716b30 1698 207
DotNet CLR DLL Loaded By Scripting Applications omkar72, oscd.community Sigma Integrated Rule Set (GitHub) 5c2eb7356281203a2556ea40a71892ba7a369c46d5f2fc4574a427ac968c097c 1674 927
PowerShell Base64 Encoded Invoke Keyword pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t Sigma Integrated Rule Set (GitHub) b064d328910e5b6554d91ba5ed74ef613fac96a491b96d7456084c26c3cd376d 1674 134
Suspicious Electron Application Child Processes Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2b1f50cff6a2e8639ee801986adca76402def027ff7616841139cbf2ab32e2f0 1665 89
Potentially Suspicious Cabinet File Expansion Bhabesh Raj, X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2c33916c73b8057eb865f965b0e9e05fddeae85fa5405eee775a7df4cd58173d 1658 168
Suspicious Scheduled Task Creation Involving Temp Folder Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) c81c0126a6006ad9dbec7215030642dac0a918f133b33aa4c077f9676d84cd58 1650 3
Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE @neu5ron Sigma Integrated Rule Set (GitHub) 388ce51cb79d4deced7fce86e5dcf1e2eec1c04720fb2fc7e451d12abbd53416 1649 776
Suspicious Remote Thread Target Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 35516fc873ed87d5b0b7a43b8533ffc2f5caa47a50e9166c663b25628f65fed4 1643 31
DriverQuery.EXE Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a67413f6ee51de2df640e8a66bd1d745d4e44207f484cbd3b33ac3b3fcbb0688 1640 297
Suspicious GrpConv Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) aa2a49ac8cb28455a3f30cf373b4ee1ade0b735bc1db5a574956be8f95fcf6d7 1636 529
MSHTA Suspicious Execution 01 Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule) Sigma Integrated Rule Set (GitHub) 7a63d1c1bf6ebb277b02d4893066d3732e3d7df562cfdbfee275bbc5c4de0951 1635 452
Group Modification Logging Alexandr Yampolskyi, SOC Prime Sigma Integrated Rule Set (GitHub) 48fbab3f0d31a3776ce8099e24b7c20af280fc9952c2d83fb8e54e4808a7d506 1614 177
Powershell download and execute file Joe Security Joe Security Rule Set (GitHub) 1fd2d09eff791a970cc2ad6da0820134ef9d52d4341ab32028edd04e8dd158bd 1595 34
Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate Sai Prashanth Pulisetti, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 149998404377f72bc44b77b90b9339b9992c7ffdfa4ac2f8b9197b502ce28357 1586 787
Suspicious XOR Encoded PowerShell Command Line - PowerShell Teymur Kheirkhabarov, Harish Segar (rule) Sigma Integrated Rule Set (GitHub) 3df27b5ffb8110f82c5da9120fd9c1c88c792ef65770b7f2706fc60a04b9cc9c 1575 143
Change Default File Association Via Assoc Timur Zinniatullin, oscd.community Sigma Integrated Rule Set (GitHub) 6143134666e4626abac4d906c673c60d7fdb48a48b44f2817af790432cae836f 1566 237
Pykspa Malware Ariel Millahuel SOC Prime Threat Detection Marketplace daabc950b44baa5580ce5e56de6f2f363ce1854a5273ffd3ac321453e35a83b0 1551 42
Relevant Anti-Virus Signature Keywords In Application Log Florian Roth (Nextron Systems), Arnim Rupp Sigma Integrated Rule Set (GitHub) 39e7fb552f1143dc6ba79ca293aaea514c20448ec6241a53cf150f29298b942d 1541 379
Copy file to startup via Powershell Joe Security Joe Security Rule Set (GitHub) f81996947f17d7a0b11829404a9a1b42e1041d6d013b0021dda3bbbb35dfa106 1532 4
New Kernel Driver Via SC.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) b1f54a781e9cc27de125f11b56abc94639629aaf0f1fdf9072886fde50266b7e 1530 504
Change Default File Association To Executable Via Assoc Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 7fb55b14b0522200d56a9829ce919bc7a3bb320b473d376575989fde5e57f8d3 1503 0
C# IL Code Compilation Via Ilasm.EXE frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 611acd0c150597ac4f2758e96797e2e85ce476be43fdec2817e9cd8bcd44de66 1496 116
RegAsm connects to smtp port Joe Security Joe Security Rule Set (GitHub) 4ff400ac692a7dca2bab429bae7ab6cb7f2bae4525b1ba9420ef0b5137ebf1d2 1492 1
Wab/Wabmig Unusual Parent Or Child Processes Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 1c3bd5d3931125cc632573be718453c2b36b0f1392032fda05ad4d1982d1c0cc 1481 11
Suspicious PowerShell Download Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 0c6e3c35fbd166dc96fbf3faf4f052230a9cc9db642ee3bee40f5c94d5938d03 1465 45
Weak or Abused Passwords In CLI Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 505504b564af2ed8ba77826b758a9eb5bda1701b18ffd11a5266b48d417692fe 1456 635
Remote Access Tool - ScreenConnect Installation Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 29112c1d912aafdd95b322ff1127f1fde6560b1d2e3dc1484d11d9d222af7435 1452 52
Malicious PowerShell Commandlets - ScriptBlock Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer Sigma Integrated Rule Set (GitHub) bbb841b3f1cb3bdb122737ca0755cb93d982ecca4651de2822af469b59071f87 1448 231
Recon Command Output Piped To Findstr.EXE Nasreddine Bencherchali (Nextron Systems), frack113 Sigma Integrated Rule Set (GitHub) cfe5725f3bf0ca4bdbb0fa295dc9f4f317fdaeb5a37cf2252678c2c1c2e4a915 1443 620
Operator Bloopers Cobalt Strike Commands _pete_0, TheDFIRReport Sigma Integrated Rule Set (GitHub) fc1c644d943e763e67a7951dbec3c33d1e4710aed85f336a114eac8b43c735f5 1441 20
Renamed AdFind Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 12b8d345b794db3ab93ddfad353edbac7bb89f27e11dfb968d1e97cbe1061cdb 1436 1063
System Information Discovery Using Ioreg Joseliyo Sanchez, @Joseliyo_Jstnk Sigma Integrated Rule Set (GitHub) 8276e9cd0b9b7c3f0b1005650ba6ee31d135feb4851ec2c1fef43e0ad32f66cf 1435 763
PUA - AdFind Suspicious Execution Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community Sigma Integrated Rule Set (GitHub) 1e88d14fe153e2c630eb9bdd7e321d7dc3d82670a31f1b36fc90cb6cbc362136 1434 1063
Enumeration for 3rd Party Creds From CLI Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 9459f67b1253cc08abbddb96a073b963a102b013d6fb679d6a0273540ad7b19f 1426 358
Invoke-Obfuscation Via Stdin Nikita Nazarov, oscd.community Sigma Integrated Rule Set (GitHub) 92f548de44082f5573a9a1cde5e0716b71988288605c254b85f32d8f3405ef83 1413 53
PUA - WebBrowserPassView Execution frack113 Sigma Integrated Rule Set (GitHub) 33f5c9533af9250ea025177bce3fdac08e97300ebdcb88f194c75a49a985bcfb 1413 1
Persistence Via Cron Files Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC Sigma Integrated Rule Set (GitHub) f74e8628441aa3b7bcbf82dd77cc025925e34078d02d169dd947db62675dbeaa 1413 130
HackTool - Mimikatz Execution Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton Sigma Integrated Rule Set (GitHub) 338397ed109954fb8f766d6849691b20570aadf79c77ac5509047b25b9af2859 1406 20
Process Proxy Execution Via Squirrel.EXE Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community Sigma Integrated Rule Set (GitHub) a7aba66fc56c50a87fc053cf4dbd37af1845fac642e98272db5c4d804dc66de5 1373 820
Bladabindi backdoor Ariel Millahuel SOC Prime Threat Detection Marketplace f47281ceea7e998eb629b82b6be68c1aaa23f6b18111420b7a52cd72b575f527 1372 0
Detected Windows Software Discovery - PowerShell Nikita Nazarov, oscd.community Sigma Integrated Rule Set (GitHub) 2f2546b453b2e10b60c4d6b1345bc05c2dc99e42daef2e236a11005d772937ad 1370 242
Finger.exe Suspicious Invocation Florian Roth (Nextron Systems), omkar72, oscd.community Sigma Integrated Rule Set (GitHub) 7014c2ce26877573641173ba99dcd8d8af4f637986c42be19651a8a37c5ead6f 1363 36
Powershell Token Obfuscation - Process Creation frack113 Sigma Integrated Rule Set (GitHub) 6dd3abd7ee97d24f91e01e6fe236e6d2b8b12c2943ed9bb875e5613bf3deb8d6 1361 55
Malicious PowerShell Commandlets - ProcessCreation Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 6109e5a50653d03dbabfcf3bdf71fa77c6e2430050d589990fe4869424a68d5f 1348 326
Session Manager Autorun Keys Modification Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) Sigma Integrated Rule Set (GitHub) 9acd91066b664aa3f4181a28555facbc432bae9a4c8502aa92ceae1de1f31753 1312 361
Mimikatz Use Florian Roth (Nextron Systems), David ANDRE (additional keywords) Sigma Integrated Rule Set (GitHub) 62e99f238afed27b43182594e90243db3ec17324c819a349f12ed55c015e5a71 1309 2
File Decoded From Base64/Hex Via Certutil.EXE Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community Sigma Integrated Rule Set (GitHub) 2d3c931bf891955b7bf9d7745ece5f7bf306ac6c9a9ab72ee992a6d199bc2aae 1300 110
ilasm.exe execution Den iuzvyk SOC Prime Threat Detection Marketplace 382ffab0f18db16a9fabc5be94893af76646b4a1c35d436ba2ae16961943008e 1288 49
Potential Antivirus Software DLL Sideloading Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) Sigma Integrated Rule Set (GitHub) a9d24e4f31c09e5d49bfde0dc5512383f008eb0a959b9e000ec57e5f29264313 1270 539
Invoke-Obfuscation VAR+ Launcher Jonathan Cheong, oscd.community Sigma Integrated Rule Set (GitHub) dbba719e722ed35e6290aec93e2c9879ef0eb3966254ad9f15c73b24f11ccf9e 1269 15
Renamed Mavinject.EXE Execution frack113, Florian Roth Sigma Integrated Rule Set (GitHub) 7e9ffe282ed5cf9a47857b911d7d92611b0af4f61bfe1bf89131f57080e0100c 1267 83
Amsi.DLL Loaded Via LOLBIN Process Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 6f788218e57d2939e69140473d30d868ecfc490ccb3caee4be496d022d6bc807 1253 384
PUA - NirCmd Execution Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) b206243f31b4de9b9721047301fe3728fcfc85f7c7db682bd477e0d7c41093b1 1252 88
Rundll32 Execution Without Parameters Bartlomiej Czyz, Relativity Sigma Integrated Rule Set (GitHub) de72fd0fbb1418b8eddde8492f15f221fc84e0ca0d3ca576ccd0ff897fb98037 1247 30
DNS Query Request By Regsvr32.EXE Dmitriy Lifanov, oscd.community Sigma Integrated Rule Set (GitHub) 047ea96432123c5b2a32816291dc196702b51bd9d49adb2c1673b59dd0018a0c 1236 259
New User Created Via Net.EXE Endgame, JHasenbusch (adapted to Sigma for oscd.community) Sigma Integrated Rule Set (GitHub) d83c79bbca4183561b4591dd3ce69faed2e6cfed3217f2658b85c237af7aceea 1234 206
CMSTP Execution Nik Seetharaman SOC Prime Threat Detection Marketplace 58d4fbfb0b53744348e77deba3d12df957601d7b27fda30abc676523e9634cda 1233 18
File Download Via Bitsadmin To A Suspicious Target Folder Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a88a5cca5a8f8c7db551190230651c821a8acb62ba7f1da53866381af9c5263d 1232 324
Persistence Via New SIP Provider Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) ffce9ca9bd1660b065199ba140fc11dab25117a4d350b14bcc2553cece9c997b 1213 833
WannaCry Ransomware Activity Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro Sigma Integrated Rule Set (GitHub) b8a9a3d755cac11238eb37aa06d27255714356075872c2e2e140acfb3e8ab8b0 1182 17
Register Wscript In Run Key Joe Security Joe Security Rule Set (GitHub) 530f42d2839f1cd12564a3743f6b294d960920a76da960e2c17e5337c43df9c4 1181 14
Suspicious Query of MachineGUID frack113 Sigma Integrated Rule Set (GitHub) 5b823c33b4d7a619c0190d52bf60fd92f6768d9bff34fb85446b00ca141f030a 1175 554
Fsutil Suspicious Invocation Ecco, E.M. Anhaus, oscd.community Sigma Integrated Rule Set (GitHub) 4b8a086b898ff9eb51b0489b98e2619d0c9fe2cd94e29325ec8a4c2250220b8e 1172 34
System Network Connections Discovery - Linux Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) bcce343b1b60fe2c9b0a19e6c49cd613e3cd470f7a5a4dc85811f8188fbdc872 1170 811
Delete All Scheduled Tasks Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 828f57327c792b3d7689543c6e7d2a87b71f15589b3c45366d0486473f86b2c1 1162 5
Space After Filename - macOS remotephone Sigma Integrated Rule Set (GitHub) 2b3ab43da00d1cb60c0d3f837ce61f81355c37b68a1c3e826e66d68962c57752 1162 162
DLL Search Order Hijackig Via Additional Space in Path frack113, Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) eec4fdc586db73cdad5bc34b172ecb132a75f4607c84cdeef26a811db01918fd 1151 16
Potential Mpclient.DLL Sideloading Bhabesh Raj Sigma Integrated Rule Set (GitHub) 3600236ebf60c82a22ab80d3e53ec7e062aecdf809b0db101631364cbae11df6 1148 1
Process Monitor Driver Creation By Non-Sysinternals Binary Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) b37461353268b5d8d8a4a0d3ec132773396606b1cc30106f1524817122d6ed5c 1147 58
Decode Base64 Encoded Text -MacOs Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) 6101f5b902371808a5b407d66c189f259bec69ab6b4cf5b58a655af663843c71 1136 66
Potential Startup Shortcut Persistence Via PowerShell.EXE Christopher Peacock '@securepeacock', SCYTHE Sigma Integrated Rule Set (GitHub) 537a092527e25f9e54a3ddb6667c0303fbda5891d2f933ec0fc62bd4a5572cb4 1127 114
EKANS/SNAKE Ransomware (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace 164ef4a9c3213fa19bce8c0def1c7e491e774e8b12b55aaf55c5cc2732b4386f 1119 473
DUNIHI Malware Ariel Millahuel SOC Prime Threat Detection Marketplace 7c58e06f9c4bfbbca18106234f802a2f21fcd03ca11bcc0d10c040d1e451d4b1 1106 6
Suspicious Manipulation Of Default Accounts Via Net.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 4932dce91cb1fcd2986acdfc28c116d5bd4899b8052649b068effd4022c81f8a 1089 145
Malicious payloads that are hidden in fake Windows error logs Ariel Millahuel SOC Prime Threat Detection Marketplace a0266c26a19ccfed14f484c3055ab6ca00bdb3123ee47a1a36410d63d33650ad 1088 285
Access To Windows Credential History File By Uncommon Application Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a97837cc5246d1005cb41d097acb5e089b3031009ed77e1792b93102e79c1f03 1079 5
CMSTP Execution Process Creation Nik Seetharaman Sigma Integrated Rule Set (GitHub) 4ef4d3aed2ed44386659d6aefb7649de9568189358f367fb8708d1870d19fdc7 1057 28
Remote Access Tool Services Have Been Installed - Security Connor Martin, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 4fbc5b70b0ec22886cd8282ca750dcf7f30821364598b9309389ea8b9867450f 1053 239
Suspicious History File Operations Mikhail Larin, oscd.community Sigma Integrated Rule Set (GitHub) a90720274637391656758b0a5ab9ec371918d4a1e9d3ac56fd4d0f8719a7da72 1048 590
Execute Invoke-command on Remote Host frack113 Sigma Integrated Rule Set (GitHub) 61dae8b0a35fc9369e410406f226b559d6c9cb12837347724e7c4f9281869910 1046 383
Automated Collection Command PowerShell frack113 Sigma Integrated Rule Set (GitHub) beee5a67cef9cbdfd4d0e1db0dc60dff160df233b0948d9988a2ca819a41727c 1039 328
Renamed Rundll32.exe Execution Florian Roth Sigma Integrated Rule Set (GitHub) 9c82223957e793a96ef035ed0c34e45da5cda4718210320cc09615a65b0fb5d1 1037 5
Disable Windows Firewall by Registry frack113 Sigma Integrated Rule Set (GitHub) 2e9f34a4006a3d9169bfe02d2b846c4db28b03c5394e9216e6dac294db0644f8 1032 4
Windows Defender Real-time Protection Disabled Ján Trenčanský, frack113 Sigma Integrated Rule Set (GitHub) a1c6c38c5e7bce405aa9ef27dce9dc9d160e553efc2e947b0b78b5f78219aae0 1032 0
HackTool - UACMe Akagi Execution Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 3c4f6f1af78c01c8d7d6fcdd27c3167044933fcdf73f667e973ce1068765ea16 1025 22
Tasks Folder Evasion Sreeman Sigma Integrated Rule Set (GitHub) ab8ea26663a3935bd7f1783455f465a74c106836d5a68c19a61dec68dd2596c0 1017 0
Invoke-Obfuscation COMPRESS OBFUSCATION Timur Zinniatullin, oscd.community Sigma Integrated Rule Set (GitHub) 2cf6294605b971d082366887fa44157d3f99e7552181ee7314a2ba598a2e5d66 1003 1
Potential Browser Data Stealing Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 7f302700c67727730ec082001e9f6840f366aca520673a11d09dd130bfc31429 978 49
Potential PlugX Activity Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 660cdd939969505754f58fd81c22dc2f313f6b7a8fcfcc55f0a45d62d879734f 967 50
Wscript Execution from Non C Drive Aaron Herman Sigma Integrated Rule Set (GitHub) 2f480881c25523a22197ce2abfca8d05a61f804534f8a053fbf65303a9375332 964 65
Steal Google chrome login data Joe Security Joe Security Rule Set (GitHub) acba408186cae97e9de5ad46ba35ffdf61f94f181c5287bfd9e76aa1e5293b1b 961 0
Fodhelper UAC Bypass Joe Security Joe Security Rule Set (GitHub) c5017f04443b7c88d4fe320734d24f38108f67663239bc00f5c164081e9b5e0a 957 27
Tycoon Ransomware Ariel Millahuel SOC Prime Threat Detection Marketplace 4a1bfdd64820625ce8a3a3a1703ba1575511aa7971c4320893b9fa4b51c65a4a 951 25
Process Explorer Driver Creation By Non-Sysinternals Binary Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 99c7a3c2ca557dc3ff22980e34539383c6be02b29d75aed44570e5292dfb47cc 949 78
Suspicious FromBase64String Usage On Gzip Archive - Ps Script frack113 Sigma Integrated Rule Set (GitHub) 4c7e768ac31ad9f19aa32c2c10eb81eb9b6ae9d00129f474125bbfa6e8cf42ae 947 20
Suspicious File Download From File Sharing Domain Via Curl.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 09fa8f2c3e86f0fa6cc0876e94d77a20c07409a7154a61ef64a9a9a31a6d0049 942 198
Uncommon Outbound Kerberos Connection Ilyas Ochkov, oscd.community Sigma Integrated Rule Set (GitHub) 9c660d5fee16f15f8c327be10917fac3b7275a58ecb9ed73d49e0ac6c35a7df0 939 29
Suspicious Reg Add Open Command frack113 Sigma Integrated Rule Set (GitHub) 81f2a11aeadd681c5a2bbef5acdebbc356da424e56854a985e3c7eb0aded2fba 938 35
CoViper Malware Ariel Millahuel SOC Prime Threat Detection Marketplace 156996684d126da245b795581497a973d9061da14c527920068752bc9a466ecd 934 173
Suspicious DumpMinitool Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 5756a38333b7f693b74fb2c16621de4da8e6e821acbb692ada0984c90768ca6b 921 40
Suspicious Invoke-WebRequest Execution With DirectIP Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) fda985869abff56461050c96a2f19a215ac6e3636ad0bb952561118e7989a6f5 919 101
File Time Attribute Change Igor Fits, Mikhail Larin, oscd.community Sigma Integrated Rule Set (GitHub) cf228b836870037eda6ce9d429595c3a3c8bb83b64b142fc4dae821bc43b3fd8 915 583
MZRevenge Ransomware Ariel Millahuel SOC Prime Threat Detection Marketplace aa09c929bbf92e934dc584324a80a81643f2c336dba38293142077f86bdde84b 912 472
Schedule REGSVR windows binary Joe Security Joe Security Rule Set (GitHub) c26e0207e75a84b37249afa14659448c57c0203d2220e8049b52775ab00538dc 910 0
Renamed CreateDump Utility Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) ed9dd3a8bde9d3f74318eae5a66dc75d50f12cb32fd6854fb7289d91507b60c9 909 676
Potential Data Stealing Via Chromium Headless Debugging Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 894bc44621968b8ec9fc62b70f7ecf4d2f1e5bf6ff6c9e1c450929a2f2d8cc09 908 60
Publisher Attachment File Dropped In Suspicious Location Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a8d0cd7feb7b63732f7a4b623d0c83302978e8b31eb15abbd34e71731c438c1c 891 556
File Download Via Bitsadmin To An Uncommon Target Folder Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 26ba1712f407ff4fbcd023c45091ebd8daf92a2befec4d5f1969002f7eeead49 884 115
File Download Via Bitsadmin Michael Haag, FPT.EagleEye Sigma Integrated Rule Set (GitHub) aca8c04f52d20c1f8ac7c5fda7686124759166ab9439145354e331faaf792bb9 882 193
PUA - Process Hacker Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 9a58c7a82520f7b9dc792cd56e2fce86b3157b6cef6fb23101ba29111c5e4733 878 12
Remote File Copy Ömer Günal Sigma Integrated Rule Set (GitHub) 1cde4fe7d0cd62ea67b1474e3fd6fe9a6931bd8af934f3a5e9b8c134d90bd7b5 877 561
Potential Renamed Rundll32 Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 6473e93a221b66c30b661dabfde02604f395c46f8e019efe0b3db46cd7dc03e7 859 234
XSL Script Execution Via WMIC.EXE Timur Zinniatullin, oscd.community, Swachchhanda Shrawan Poudel Sigma Integrated Rule Set (GitHub) e80db9df819552f83bb1bc542be2503390d7a47f3c26ea4db86797b530411d2c 855 26
Bypass UAC via CMSTP E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community Sigma Integrated Rule Set (GitHub) ae5debad574fb4590d5efc9d2e3614bb603a5670f3f9f926a42d2ecbf0de0291 848 38
Add Port Monitor Persistence in Registry frack113 Sigma Integrated Rule Set (GitHub) 8dbe594a0f4eb93aed5bfffd0545b03cb0d8c91d229a169700c0d5a7b140795b 841 398
Search for Antivirus process Joe Security Joe Security Rule Set (GitHub) b0b2b7f76cb8009a5eba92496814aadf2b2a17d8f5ffdc4169a2a8a8b6335ee7 840 69
Suspicious Sysmon as Execution Parent Florian Roth (Nextron Systems), Tim Shelton (fp werfault) Sigma Integrated Rule Set (GitHub) d76c7bc40bb395a6c2bc04fb2518aafb5044409e7d084eab35a00d6514635261 835 3
HackTool Named File Stream Created Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) b995506076579a8c1f5b600eca139df5fd016994aab5c3865a4f7f7cd0dc3931 818 0
Powershell Directory Enumeration frack113 Sigma Integrated Rule Set (GitHub) 7ce2e69836f6ffe690530adb579824031c46a1bee75e6f8dc9ec028fe59c5681 814 398
Windows Internet Hosted WebDav Share Mount Via Net.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 958619e5eaecca1767a6c71701ed1838a9cbb62ccabbe7c6a9d8679a3fc0e0f8 806 180
Suspicious Start-Process PassThru frack113 Sigma Integrated Rule Set (GitHub) ce0c4f663ae2b2d04af92c5309f25b12035419b2fc2b6b9c161ab8c7830e3e52 805 331
Outbound Network Connection To Public IP Via Winlogon Christopher Peacock @securepeacock, SCYTHE @scythe_io Sigma Integrated Rule Set (GitHub) 030a43138df8f268a688b4d336377f9ae24dca9828eec55a36d20824b6201ae9 804 0
Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE Greg (rule) Sigma Integrated Rule Set (GitHub) 59b298e2e3b915378e28421e82fd8ba5669ee9eb26f07f878bde7303b4baf016 803 189
Cscript/Wscript Potentially Suspicious Child Process Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86') Sigma Integrated Rule Set (GitHub) 1a5f4db4505797dbb968725fb6bf6b357968abf23fbcc6b92acd08a6214e3e4e 801 62
Suspicious Rundll32 Execution With Image Extension Hieu Tran Sigma Integrated Rule Set (GitHub) 9103c9abde5b20f2b8e59ee53ea823a7c4e9d171c3f07a383b2ee7c0b3f792f6 797 107
Change Winevt Channel Access Permission Via Registry frack113 Sigma Integrated Rule Set (GitHub) cf2984facb3af2703a88c05e420505bdaad5887f51fbf32167a0bf5abfcc28bc 796 11
RDP Sensitive Settings Changed to Zero Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) e03a36fa82b6ec641fbe51860f9769191f5a8055411effaabb66600f778ef3ee 794 100
Shell Process Spawned by Java.EXE Andreas Hunkeler (@Karneades), Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) 0eced37f0ea111b4f9b0de81cecda56610adc30fad4061274a488187f71b395d 792 126
Service Security Descriptor Tampering Via Sc.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 79b65bcfec60a228ced8c00aa4b8ff786ce017482ff46446e002fd9ea7bdbd00 790 529
Disable Windows Event Logging Via Registry frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 7496876fb48565b8278bf669ff38b2846b842f9f663b755f72c105f928ae76c6 787 49
Tap Installer Execution Daniil Yugoslavskiy, Ian Davis, oscd.community Sigma Integrated Rule Set (GitHub) 47fed78a8bb63a7dee467bd25acd7bbfb704d602012f1a2228eb56c9f6760b7a 787 292
Suspicious Parent Double Extension File Execution frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 00b61d3ad8d5b276f712ce687ea306dc5b640516a51e65fd05ec277c5b979611 782 16
Allow Service Access Using Security Descriptor Tampering Via Sc.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) b2414a4d8972516423f6b63d79b5aaffd883551d5c9ee63294d6395da8f6a88b 779 520
Always Install Elevated MSI Spawned Cmd And Powershell Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community Sigma Integrated Rule Set (GitHub) 742d7b1dbef016ab3810ec50354e231948fa035c8cacfec6b18f3a8fba03c2dc 771 227
Office product drops executable at suspicious location Joe Security Joe Security Rule Set (GitHub) e0e4a0d55b1462c34c5c59221f7b9ae4b1625aa019f157ee2d60b21d286df9b5 769 6
Potential Recon Activity Via Nltest.EXE Craig Young, oscd.community, Georg Lauenstein Sigma Integrated Rule Set (GitHub) 1419b2c28c143f7062ef95f941065d5327c65890cab58ade41efd168132d8b3b 766 16
DarkGate - Autoit3.EXE Execution Parameters Micah Babinski Sigma Integrated Rule Set (GitHub) 9d3ba304b0b049fd4dd6a95685a9801b6cc9da0ac7837b8c106f010aa4f79723 761 26
Suspicious WmiPrvSE Child Process Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) eb1dbd652c505f66652af5683ecfecaacb1483523b07254e9d1eaee151af6ec9 761 0
Whoami.EXE Execution With Output Option Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) accf31ff0e1e1b6219d9c964b9ca9832458e71ee32cac96d64cb26de422128f2 760 106
HH.EXE Network Connections Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 4630d11b74b3a0ee68be5cd7788cbf0adc046f1248a513c2971cf8dd4a03835b 751 475
Suspicious FromBase64String Usage On Gzip Archive - Process Creation frack113 Sigma Integrated Rule Set (GitHub) 7ba93fc93efb5d8901f3061f6c7f586575a9b70f53e7c4e4241975131258aac9 746 1
Network Connection Initiated By Eqnedt32.EXE Max Altgelt (Nextron Systems) Sigma Integrated Rule Set (GitHub) 0418449ae011d99278f952cf0feb26a91074c66d4f9fd7f162f91ae71262c40e 745 0
Disable power options Joe Security Joe Security Rule Set (GitHub) 57a5517535a56aab78723dc056130f1e0a6659bbc7addedcacecafa9ed499f0a 744 0
Potential Edputil.DLL Sideloading X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) ecb809c2a4f83341a0254cf013ec5faf8d4870c4ad1a2ba5564f248d54621a89 739 165
Disable Administrative Share Creation at Startup frack113 Sigma Integrated Rule Set (GitHub) 529a42d20f26a0247c669d877e7a0260adfafaaf2627c9f33ad4d8b571e8d20a 734 7
A Rule Has Been Deleted From The Windows Firewall Exception List frack113 Sigma Integrated Rule Set (GitHub) 67a0e8c868b0d9e328cacb80b1deb06682096f1919a50ecd953a8b4cc9a1d01e 726 620
Uncommon New Firewall Rule Added In Windows Firewall Exception List frack113 Sigma Integrated Rule Set (GitHub) 67d7bc69b082fefa483232989806870ecde5e6bcb70d0db262c428e845ce0eff 726 620
Windows Firewall Settings Have Been Changed frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 693c36f61ac022fd66354b440464f490058c22b984ba1bef05ca246aba210ed1 726 620
BloodHound Collection Files C.J. May Sigma Integrated Rule Set (GitHub) ea90a9d0a5b0365173a60c78d15843211f9bc89dd93a164a6b464b66d82da85c 719 526
Pyvil RAT Ariel Millahuel SOC Prime Threat Detection Marketplace e1ca1eef7de3f782d09979e606d626e690c8a52046acf75e7a5de3203cd0a570 712 234
Potential Persistence Via Notepad++ Plugins Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 1492d5fa8f02d4d7ce8b5c279841da26a3dae0da5562729690d1875944341bc0 703 366
Malicious behaviour on user login (Microsoft Windows - c0d0s0 group behavior) Ariel Millahuel SOC Prime Threat Detection Marketplace bf0f7d2a84916abcc597e4a38a6231519b38af0223147ef15e28c7ab83f47c7d 702 192
Domain Trust Discovery Via Dsquery E.M. Anhaus, Tony Lambert, oscd.community, omkar72 Sigma Integrated Rule Set (GitHub) e5bf067d8fc5f77622680e942156a44de63eda6026750ac80c29d0304dca435e 694 0
Bypass UAC Using Event Viewer frack113 Sigma Integrated Rule Set (GitHub) a0f94cedc18c397f576619978b15265938adc1cba9d431467d50db98d8a79972 684 4
Clear PowerShell History - PowerShell Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) 75df0b220ddaf477070a84227ba8e5430f5d4bbcfdfe1ad41ca6da62894c03ed 679 176
Malicious Nishang PowerShell Commandlets Alec Costello Sigma Integrated Rule Set (GitHub) b80c35f99523537c476487e505edb0c210eea308fa18707fdcd5aa54d136e3ce 668 72
Spora Ransomware Ariel Millahuel SOC Prime Threat Detection Marketplace 4dce473be53cdc44d945acff82c6e5ef53b3304748f9aebc8d4f586230520785 667 155
Writing Of Malicious Files To The Fonts Folder Sreeman Sigma Integrated Rule Set (GitHub) 50cc064f594178311fd316bf296afdcb85c962c45cbc15ab0984ca5de2940d67 667 2
Copy itself to suspicious location via type command Joe Security Joe Security Rule Set (GitHub) ca9a79f8e23430115778a41aa4671433713b393278e1a60331cbb991a0f30f82 664 97
TeamViewer Remote Session Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) a8298e7cd8ae07e912b976b51f53ec407301b782a18845c32270523946510c52 664 451
Suspicious Get Local Groups Information - PowerShell frack113 Sigma Integrated Rule Set (GitHub) 5ef6bc365a01e6ef90c1fc4f49006e9a8fe08e82c0a9ce80c10153915771547b 662 377
Potential Suspicious Activity Using SeCEdit Janantha Marasinghe Sigma Integrated Rule Set (GitHub) 49aac70aa91f01a7539b5678a4fd244f32b078c30cec03a7ca460298d59a2a43 659 228
Verclsid.exe Runs COM Object Victor Sergeev, oscd.community Sigma Integrated Rule Set (GitHub) 0cc6e99f887ebd84bef65b69e0c64f654364e79f53cf546f89d1507edd3bbb6b 657 244
Renamed Plink Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 0b74fe58c124fa3f0817cadd3efb94d64ded5662336971846facb96d8b01e56a 647 161
Suspicious RASdial Activity juju4 Sigma Integrated Rule Set (GitHub) c182c186baaff4acc155d390da0732179995f7767ef1710ca041111414a157f6 646 201
Firewall Rule Modified In The Windows Firewall Exception List frack113 Sigma Integrated Rule Set (GitHub) 1b4845df7f68549988add5335d4685cb047e4eaabd5768d84a5483935b0d5499 645 551
Security Service Disabled Via Reg.EXE Florian Roth (Nextron Systems), John Lambert (idea), elhoim Sigma Integrated Rule Set (GitHub) 0c3e5c376a4a569ab4a4f3217dd009bb34e695e5fa82da85111db47f2b801bc9 645 24
CMSTP Execution Nik Seetharaman SOC Prime Threat Detection Marketplace 7d8b8c88008f45dc07b07590cdf039437686d441d35e7204ba91a632ebc9439c 641 23
Windows Hotfix Updates Reconnaissance Via Wmic.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 392fcdac1175baa32b5f9e8899fc0dcd24fb0c6c9390adfd646bd983451e2810 641 176
Group Membership Reconnaissance Via Whoami.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 4a8be8d477a2fbfadd8b27b53ce2a677c2b380814db4dedf6b47a8986fd6a69c 638 143
Discovery of a System Time E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community Sigma Integrated Rule Set (GitHub) 18ed38c04ceafb2aa0b9dcb106310ce76cb1473a4109b6a489663f5c250bd2a6 635 83
Potential Libvlc.DLL Sideloading X__Junior Sigma Integrated Rule Set (GitHub) e154e6fee14ecb972ffc142082d91cd9b413720840d13f7eef05014791a60d1a 632 257
Windows Defender Threat Detection Disabled - Registry Ján Trenčanský, frack113, AlertIQ Sigma Integrated Rule Set (GitHub) baa17a6a8681c2a3d925f497f9c81458eab98535fd28d8909861aece2b9cb901 632 7
MSBuild connects to smtp port Joe Security Joe Security Rule Set (GitHub) 86905c36f5c4e855311f702723eec0c6a4dc9e9992fcec9b2ddcce685b7c2e09 615 0
Potential Command Line Path Traversal Evasion Attempt Christian Burkard (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2a64ca949e5ce433b70a21b4be0e71e5ad0cd2465395fd093410ce2d33177cdc 615 161
Powershell Install a DLL in System Directory frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 51fc69e23d6cd3acb20d821dbe95596fb6d8cc314866c51a6a23033b83818ee8 612 259
Service Binary in Temp Folder frack113 Sigma Integrated Rule Set (GitHub) 36e24eb60fb7bfe4a61d59d53220df514ceab13a68a4221cf5b7d120d53c4a3e 612 193
Potential Ryuk Ransomware Activity Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 38e5073851afbf6c39ea309703c229e83988c6d3548896a389e9ef8795917947 610 18
Potentially Suspicious Event Viewer Child Process Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) d37f057d76500ae8527178a9ea367395f2bde798f1cd048621be74f915b28aa7 602 22
Csc.EXE Execution Form Potentially Suspicious Parent Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) b0e07fc365ce0d0690c84a20e3467a5be2301d1c4de1e87bcbb9cb9ea841222c 601 27
Modify Group Policy Settings frack113 Sigma Integrated Rule Set (GitHub) dfec584345112d1012631493a8cdef4a2eb03ea5bd33d360363e24776a148a71 599 63
Clearing Windows Console History Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) 30041403950554ea68cae8436931add62874ca499364d423bd04a8ccb124d999 589 166
Potential Credential Dumping Attempt Using New NetworkProvider - REG Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) fad33264376c884f3f011141325fcda3eb98e6b4c916520ed6044fa16c571fe9 589 439
Potentially Suspicious Child Process Of Regsvr32 elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 7d605643d3d8c564d51574a154eb77dd6009d4c2a39133d7fe93089f5764286b 583 8
Frat Trojan (Loader detection) Ariel Millahuel SOC Prime Threat Detection Marketplace e5340d719fcf66efd2a0ce9db73895f3154a53e10e72e001760230ca6aa22057 579 0
Gatekeeper Bypass via Xattr Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) 7f400a75c32e600540f4565bd2cb4099e67aab98f70299b5fe20136c9bc9f13b 579 472
Execution of Powershell Script in Public Folder Max Altgelt (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2a39a26b108b99d76b325cabad67ed0b401f56104a863ba5158e0d3b889adc0d 575 46
PipeMon malware detection (Winnti Group) Ariel Millahuel SOC Prime Threat Detection Marketplace 7f7471486789b0240cf2b95271088889269baee8e3fb42b0cdb6d71d7d37588d 572 427
TrustedPath UAC Bypass Pattern Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 804e7993351b779b371021d0b762692107233efc595e1171e5f9ebc62b851247 565 5
Suspicious GPO Discovery With Get-GPO frack113 Sigma Integrated Rule Set (GitHub) 039172cd0dec626a7758aecf1db76255b8994bc61501f3a732abb90dc4e88560 558 392
Suspicious Connection to Remote Account frack113 Sigma Integrated Rule Set (GitHub) 71f9611fe50b2788a25e6b1c3fb3d035c5e04dfe73447ed185bfde157084fc72 544 294
File Download From IP URL Via Curl.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) eb80a13f018daf47775fec9d5aaf6173f1ad3ed6a71702583f0bbb2feabc66f4 541 30
File With Suspicious Extension Downloaded Via Bitsadmin Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 6650c06d796cadbfac3560efcd86cb681d552bf6cb9c4d1fa9b6c82b556ae087 538 74
Powershell LocalAccount Manipulation frack113 Sigma Integrated Rule Set (GitHub) b3caa02d87fceb141c3eb2e3715d1290976d6fdb56070c03362cd1fb6808f95d 531 254
Suspicious PowerShell Invocations - Specific - PowerShell Module Florian Roth (Nextron Systems), Jonhnathan Ribeiro Sigma Integrated Rule Set (GitHub) 355b439d3a90c89090f6f266afd2306ad6a03e5ca79228ad1be6e9cb6940491b 530 2
Tor Client/Browser Execution frack113 Sigma Integrated Rule Set (GitHub) 5e1ab62fc9383aad72ce1011e101e15342e386adc35483e383f335b0e5904f84 530 67
Rare Remote Thread Creation By Uncommon Source Image Perez Diego (@darkquassar), oscd.community Sigma Integrated Rule Set (GitHub) 11642a2b68a439e8804e904e15e5f8d7463330056739adb17310fefab75d3585 529 3
Remote Access Tool - RURAT Execution From Unusual Location Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) afdd67de130ff9c5fd2b18ca53480574ad0613d99edb23555df03caaf3cd774b 529 6
Suspicious Characters in CommandLine Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 8d9898d05ff5a6ca099b0ec5f7aee9f3581d649c0ac4f2cf24f874e95d19d5ac 529 64
JScript Compiler Execution frack113 Sigma Integrated Rule Set (GitHub) 2ff165b71352ba7322e48c1d765629db5ccf8ba92e65a3ab9a4d375da0846a6b 526 1
Stop Windows Service Via PowerShell Stop-Service Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) ad906661229e2ccee26f0fa5a23b6e080c651463299081f5b7a9bdeaa0b4f857 526 205
Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 44eceb73238948cbe65640378028a4f9d3a835bd2929cd4b8462e465a825c85d 524 60
Powershell Sensitive File Discovery frack113 Sigma Integrated Rule Set (GitHub) a4c59bdaf575107ce23b3c6e62c772eece15e1f61e51a236e70e3b95c48bf0a8 523 203
Suspicious Printer Driver Empty Manufacturer Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 69f693a2bf7b4c283ad2afbd17043a7a25fd7596d7f26f5f77436d56ba9529e8 523 266
Curl Web Request With Potential Custom User-Agent Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 88ff5337fc700aeab5dd5118bce29d1ca0b6108a128d1dfdf3638f38fbcea403 518 73
Remote File Download using GfxDownloadWrapper.exe Den Iuzvyk SOC Prime Threat Detection Marketplace 16dd4d7c651cd862752fb483a4e7898c821603b1739b7aecb11298a6e931189e 514 514
Suspicious Execution Location Of Wermgr.EXE Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 83b8f87b02d40783b017b20b24c9d622b8aa76ca308e3f4219d233beabd20b07 512 26
Potential Privilege Escalation To LOCAL SYSTEM Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 7e17cc0d521f2433baf3ca36bf22ec2946bb387a555fee75aff1c992849a2578 509 49
Suspicious PROCEXP152.sys File Created In TMP xknow (@xknow_infosec), xorxes (@xor_xes) Sigma Integrated Rule Set (GitHub) b33ac74e3c46a62df1698c5ebafdc2ab3f5907feff6e6ec1f73d273465b4aa5a 508 12
Powershell Exfiltration Over SMTP frack113 Sigma Integrated Rule Set (GitHub) b09b9f74febb3e25b3de69614b6193a2740c00fe9e7ccf5e62f503de56c5c1bf 503 313
Xwizard.EXE Execution From Non-Default Location Christian Burkard (Nextron Systems) Sigma Integrated Rule Set (GitHub) 96b3df20cf0336e4751b0a85d9786ada6ce7185e05988a511f646967e712cc1d 502 10
Modify Group Policy Settings - ScriptBlockLogging frack113 Sigma Integrated Rule Set (GitHub) 312aebbf9dd01274971762d360bf4d4870a7b7138c7cc149d33a9ba8df72b293 500 339
Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 25caa714d53ce1601014e133c61d1dd3b361938e96a8ab5f410b0f3de1c8f8c9 499 94
Suspicious Splwow64 Without Params Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) c4e0758476210a09a3e470db05d2cbec0aebd511e48d351685c75970566f894f 496 51
LimeRAT Joe Security Joe Security Rule Set (GitHub) 667c9dcf6079fd28997e3e2b10b629c8ddbbd7bdffee1889aef6476277791e13 488 1
File Download Via Curl.EXE Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2ba177894c99b540ea867640a2706237f274cc5b176aeae69bbe985e11bb1b06 483 143
PowerShell Script Change Permission Via Set-Acl - PsScript frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 30f46284fa7f3fb0c36a6eea80464adf534469d7973d103ba867d6a004a5ce53 483 230
Data Copied To Clipboard Via Clip.EXE frack113 Sigma Integrated Rule Set (GitHub) d1138c20627ece208ac948647342866415641b06510830449eb2bf7d2f32e4af 477 97
Suspicious Certutil Command Usage Florian Roth (Nextron Systems), juju4, keepwatch Sigma Integrated Rule Set (GitHub) f1e311405e4ccc1c99ed8213bdc24b813560700daa47ca78033edd0d8993ba04 476 29
Outgoing Logon with New Credentials Max Altgelt (Nextron Systems) Sigma Integrated Rule Set (GitHub) 55191fe8fd6505fe4952b024afcf9016670b4fade05502947a91ca4d3558d59d 475 49
New ODBC Driver Registered Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a5902259c1aea8cf86393e1e31b5bbe43caabcb3df6b2f410176d1b2c8ac6cab 474 345
Atbroker Registry Change Mateusz Wydra, oscd.community Sigma Integrated Rule Set (GitHub) 15ae81a84c9a92e5ffb3bc1c4cecc28883ece49fc1ceef55d745ac094ece0622 465 276
UAC Bypass With Fake DLL oscd.community, Dmitry Uchakin Sigma Integrated Rule Set (GitHub) f7b3aa6e9bcd6bb0bf047e633bb513434546a05f9322c433f8df8c2355115339 463 183
Active Directory Computers Enumeration With Get-AdComputer frack113 Sigma Integrated Rule Set (GitHub) 37b6b961c7d630d66ed7dffc1fa2aae8811008a45bb73eadb3a78bd34a309c6b 461 326
Operation Vicious Panda (COVID-19 Campaign) Ariel Millahuel SOC Prime Threat Detection Marketplace cf68f11f087c4b3b504b67cb0a9e4a499e486a6de10aee0811ab515d3336d7f1 461 25
System Scripts Autorun Keys Modification Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) Sigma Integrated Rule Set (GitHub) e508e0cd0078f2c99fa9a87448bebda5652165ba069b1c9c4a89ecc4a2b385ca 460 0
SideWinder Ransomware (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace 1f154d23ec03058edb48ed3380f862daca50719af728e0660a5dc14a5ab5b867 459 197
Suspicious Interactive PowerShell as SYSTEM Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) f8335c66f6b8aed850de5246bacec6f1eee18e5549c581e9892827d840e5720a 459 8
HackTool - SecurityXploded Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) b097e888f96f943b0d94d7835326dbbc76b3cf117fd9407832fbace74cb60f48 457 26
Potential ReflectDebugger Content Execution Via WerFault.EXE X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) c39f4f5b97b1b17af1e4ec1d780f8384744cdbdcaf071260d5e9d9c523e6bbb3 457 399
Register DLL with spoofed extension Joe Security Joe Security Rule Set (GitHub) ff70195d476ffa7a3d8e0b1503ffeca1e8707431b00403dfa695732599b571f5 454 305
Use of Wfc.exe Christopher Peacock @SecurePeacock, SCYTHE @scythe_io Sigma Integrated Rule Set (GitHub) 828fcf5b0d289ec191b7e622d323a6e6def6af24a2d4aa575f7f8543ffd3de0e 451 20
Trust Access Disable For VBApplications Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 262bfe67aaa5a8f3edc4f148e59a0ee2c9aab2cdd6e1833ff3cac93540de2c0a 447 20
Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded Perez Diego (@darkquassar), oscd.community, Ecco Sigma Integrated Rule Set (GitHub) 3be9b8df84e3f6ada915083f86f0f6325f5e3243c3d383f8bf5413b9388ae350 446 167
Potential Persistence Via Shim Database Modification frack113 Sigma Integrated Rule Set (GitHub) 8c893b41c5a28ef36c6b16d709f057af26436898776837e685d30b93672c2de1 442 147
Exports Registry Key To a File Oddvar Moe, Sander Wiebing, oscd.community Sigma Integrated Rule Set (GitHub) a5e61828c15a99ec1e32a76e1f2d9bca2eba0d5d62d10197c69a8988b85c445a 441 140
Potential Attachment Manager Settings Associations Tamper Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) beea9838b890b61ccab05d6321880b112538b784e3caf82454293c4c087caadb 437 6
Suspicious XOR Encoded PowerShell Command Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, oscd.community, Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) 312888984ff0222cd7bd45936afd14feea146948ac0e6941f3e0513e56d51e65 434 0
Potentially Suspicious EventLog Recon Activity Using Log Query Utilities Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) df4c82057d61dd45f1a9a17a781614a8918ad397600ddeee25a1615fb75459e8 433 13
PUA - Advanced IP Scanner Execution Nasreddine Bencherchali (Nextron Systems), @ROxPinTeddy Sigma Integrated Rule Set (GitHub) eba28e9e2b6ff9e170e3534ea8b1e863757d5c976a9a84e4bbf5bd6ffeea5325 427 87
Windows Defender Threat Detection Disabled Ján Trenčanský, frack113 Sigma Integrated Rule Set (GitHub) 41872a2c86ff9bf310cf8a81b0235040c25793f1fe6255fdc5bf771cd716ddfc 426 332
Office product drops script at suspicious location Joe Security Joe Security Rule Set (GitHub) 67124e7349285a993dc331738db576ef56c6cb9724bf1cea7695561498a0fb35 424 59
Remote PowerShell Session Host Process (WinRM) Roberto Rodriguez @Cyb3rWard0g Sigma Integrated Rule Set (GitHub) 9c155c1f00478f6dbc65e449bb4e1ee8d14ca444d40cbb52bd6406320ff20282 414 23
Potential Persistence Via MyComputer Registry Keys Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) f776409e7a0ad2cd5dbb2241bddedc4d94cffb55043ccb0254fd7266f7f10720 407 151
HackTool - Rubeus Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 74f9a93f96bad4ba440f105a789ab5905ef284191baa105737e7ac861d13bd44 405 0
Remote Access Tool - UltraViewer Execution frack113 Sigma Integrated Rule Set (GitHub) e5a4bf7a1c38d3917af9af6ae6ee7c2038a1ad6450721694cc741d2410b05834 402 171
WebDav Client Execution Via Rundll32.EXE Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) Sigma Integrated Rule Set (GitHub) 27f312fa081c26ea0c76a26a31e9c6fe7a974b36000c89db9e288fd1ca3a6e9e 402 130
Launch Agent/Daemon Execution Via Launchctl Pratinav Chandra Sigma Integrated Rule Set (GitHub) 18992bc0af590fff76bc3d6fbd1f89e36882bbae039d8c4ccd73c952397c875e 400 381
User Added to Remote Desktop Users Group Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 04ed3e23df49b07ebec11f2374d1ccce40bc71d867b1f8e29ea40b1b9e878ac3 400 50
Crontab Enumeration Joseliyo Sanchez, @Joseliyo_Jstnk Sigma Integrated Rule Set (GitHub) 23f3512bc30a856ca1f3906b9e52716a70df17c2083065536ac9ea6176aaf3ba 399 66
Renamed Remote Utilities RAT (RURAT) Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a7d9d6781e1b1a5c65f3603e5aa6e2da23879bb16ea543f313a3d39f5d7949a8 399 12
Indirect Command Exectuion via Forfiles Tim Rauch (rule), Elastic (idea) Sigma Integrated Rule Set (GitHub) 21c4db1b5b4f502860c9d961662f1f7daa62cf3e4c4c9712977dae1ad368a19e 396 2
Register Jar In Run Key Joe Security Joe Security Rule Set (GitHub) a251b526d9024ed7f489fe7b9c2182080e067f2d35068063c5fd326283d9b1ba 394 5
A Member Was Removed From a Security-Enabled Global Group Alexandr Yampolskyi, SOC Prime Sigma Integrated Rule Set (GitHub) 1d6eea9825839d71a79ed93bd0f383b8826d8a1ca80c0d063e7f43e648b2d67c 387 75
Windows Defender Threat Detected Ján Trenčanský Sigma Integrated Rule Set (GitHub) cf90b923dcb2c8192e6651425886607684aac6680bf25b20c39ae3f8743aebf1 386 332
PUA - AdvancedRun Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 1acf8a5bd4b9da5f502c337d49e41685a8b09ec964d979cda876f038871b43fa 380 25
PUA - NSudo Execution Florian Roth (Nextron Systems), Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) 813ebaa5c2ede1835703f1defdfeae762f95ae97f36a5ee2da94b4b2b0877e5a 380 6
Potential PowerShell Execution Policy Tampering Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 49b185e25e68c30cebd01a44e72bda0c359c132bb364ef487a935de293813a78 377 113
Suspicious Download From File-Sharing Website Via Bitsadmin Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 54145fc7feb54b73cba1cc24c4cd84fd7f99ba4e75cc334003bc39785217bc30 374 57
Suspicious Unattend.xml File Access frack113 Sigma Integrated Rule Set (GitHub) ab4f3a9eb0931d1b25be0e6ec70048514d987acda1b98b078b334de53d084360 370 71
Uncommon Network Connection Initiated By Certutil.EXE frack113, Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 80b6e3dc8d08ed8e3d4ef52e59af689b5f0215b08d92b3fce2310539c37b6b31 362 59
Rhadamanthys Stealer Module Launch Via Rundll32.EXE TropChaud Sigma Integrated Rule Set (GitHub) de0e634fa9106c661586ec7674b77259237dd3f5bd92358ce52a278d05072e99 361 1
Suspicious Curl File Upload - Linux Nasreddine Bencherchali (Nextron Systems), Cedric MAURUGEON (Update) Sigma Integrated Rule Set (GitHub) 53df4e098ad6e906fbb05243a95d838a673d2ba830a6c9ee0cabeac59d2f9a9d 358 296
Manipulation of User Computer or Group Security Principals Across AD frack113 Sigma Integrated Rule Set (GitHub) 080f39fb13644d7055303fabf2a4ace323c7ca1c92ffe33c37a94ed397cecedd 357 97
CMSTP Execution Nik Seetharaman SOC Prime Threat Detection Marketplace 7577d4e0fc2ced5cc24f093d5dca8c02dd117651e5112bee21b6526b7fa34075 356 3
Potential 7za.DLL Sideloading X__Junior Sigma Integrated Rule Set (GitHub) aec40a5dfd8adbf624b6c870c2aaa6c94cbc9435be56b32bfce0204180123841 354 229
Decode Base64 Encoded Text Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) 0f307ac40cafbbdb1e262b899732195a25952ad5bb013ca8e6d280eefd45a141 353 89
Copy From Or To Admin Share Or Sysvol Folder Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) 253df726683ee378cff180cb32526ec9f10b897edda084113b11cbeba118fbe3 352 53
Squirrel Lolbin Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community Sigma Integrated Rule Set (GitHub) 556a1aa7c513ecf9a4f6edfb0176deb074a2cf1447650e01766fe9efee338c35 352 233
Hypervisor Enforced Code Integrity Disabled Nasreddine Bencherchali (Nextron Systems), Anish Bogati Sigma Integrated Rule Set (GitHub) d7747cd9601aab6c6a1df6e7b6a31da269e383405a5100fb533784f3e7a52085 349 27
Potential Qakbot Rundll32 Execution X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) 03f2abf64a64f57b8e66090fc2f63645b79fe633bbffa28d32e0440b03c4c0b9 347 215
Potential Tampering With RDP Related Registry Keys Via Reg.EXE pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport Sigma Integrated Rule Set (GitHub) e56cee5542b4c0d63057ea40087d4adf80e75c85d61d4c444e7b3f9b64a62cd5 343 81
Potential Invoke-Mimikatz PowerShell Script Tim Rauch, Elastic (idea) Sigma Integrated Rule Set (GitHub) eea4b79cda06d89aedf4a8bef48f151e04c00dcefd21c9b9c8dcb3d1457b226a 341 7
Sapphire Ransomware (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace af5ee1ff302412603f190ad74d459219970f99e1b5a92d952a2e953f522b38c3 340 0
Suspicious Binary Writes Via AnyDesk Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) e63c082925104de00901f48dacf129e0a824bbe55c24ed90ba31d4e82c44f216 340 6
Bash Interactive Shell @d4ns4n_ Sigma Integrated Rule Set (GitHub) f79f3c90ed2814f8c1329307fde553431e9978c1fb579ef0824abb01a64310bf 336 166
PowerShell Remote Session Creation frack113 Sigma Integrated Rule Set (GitHub) 2edbd80b280a70f7636ca307800e2c61b25d829eca7c992125bf15782e91f688 332 193
HackTool - winPEAS Execution Georg Lauenstein (sure[secure]) Sigma Integrated Rule Set (GitHub) bdf9a7887267777773c9949f494e9799efef1be392343e309b16334f10b7bd66 331 11
Lazarus System Binary Masquerading Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1) Sigma Integrated Rule Set (GitHub) d945c7338838af1692c329f71f050302338029127281ca66006ba926c9a9d854 329 6
EQNEDT32.EXE connecting to internet Joe Security Joe Security Rule Set (GitHub) 3b421cd3a4401c0dfc3d2c5613d705669e2bdcf8d998c4e363d2e1e5cbd328d4 326 0
PowerView PowerShell Cmdlets - ScriptBlock Bhabesh Raj Sigma Integrated Rule Set (GitHub) c9a0fa3e3f43c8762528ddcca56a26673a3f37eb9077f2657884e8b847fb9ba8 325 91
Outbound RDP Connections Over Non-Standard Tools Markus Neis Sigma Integrated Rule Set (GitHub) dbfca88ab9ee6831be6d244ddd8d59d64840215c6266895aed60b0192f60f226 323 4
Suspicious PowerShell Download - PoshModule Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 69130b2eb287f08303a7092222cc3a0be896a066b64f8b32f96d08ff4708e37f 323 3
Renamed CURL.EXE Execution X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) e90bd630609a035372a71ff4471ee3d2e99ffb6464b8370ef394ea1a4d2c36f9 318 18
Suspicious PowerShell IEX Execution Patterns Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 9cede5a1c6382a5e4dd57d439fbcb57f927088bb5c3e1d4019c03562c3b4f9e5 317 25
Windows Defender Real-Time Protection Disabled AlertIQ Sigma Integrated Rule Set (GitHub) 19a5c3cad343931aed1e013cfe07ab95ba7b853ee5b40c6828fc766529e602bf 317 0
Glupteba malware detection Ariel Millahuel SOC Prime Threat Detection Marketplace f75c71f7be8a63670e0c606b582900d5a921916b46408da383beb0786cb5588f 316 1
PUA - Netcat Suspicious Execution frack113, Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 358a95254318aa55ff499eb64277dff47957ac37c6370873673433bd55e77cf8 316 16
Suspicious Processes Spawned by Java.EXE Andreas Hunkeler (@Karneades), Florian Roth Sigma Integrated Rule Set (GitHub) 0119b24f133d3f3142f84b35c30b7b1c417c4418f4d18098200208947ac5d041 316 109
Potential Arbitrary Command Execution Via FTP.EXE Victor Sergeev, oscd.community Sigma Integrated Rule Set (GitHub) 89f260c1bb244a6c153a5d3a5951ec6f517e5e846823da8b22d1b5192f798e62 313 54
Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) d01338d0a87197c0e5132ec7b920332c01f5c9e8218c727591d81888d10a9754 312 0
Potential Persistence Attempt Via Existing Service Tampering Sreeman Sigma Integrated Rule Set (GitHub) 01b2124bf0e9019139ef617d15b67080610ffd3584d4fa0cf7c646bd3f11853b 310 70
Compressed File Extraction Via Tar.EXE AdmU3 Sigma Integrated Rule Set (GitHub) b0ed746e9cd2eab869bddc4a8122b28ee59bdf9fb2bedec78463b8df812919f3 308 136
Mstsc.EXE Execution With Local RDP File Nasreddine Bencherchali (Nextron Systems), Christopher Peacock @securepeacock Sigma Integrated Rule Set (GitHub) 4476f97756130311a92e0412033fd3fdacf6c62d0eb95901dcab7519a0236740 308 28
PDQ Deploy Remote Adminstartion Tool Execution frack113 Sigma Integrated Rule Set (GitHub) d4455289124296f34e652e21b22099e2dbeb914261581fba842def35d85a6d92 308 290
Potential Raspberry Robin Dot Ending File Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 36337e6a48c8f0ee0480d1739b35c93b2d000d9b86a4ac01dbf80b5960b6db32 308 145
Suspicious Activity in Shell Commands Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 9f38dd0d0f681b4185f6a6008d3904a10d8e2fe4e9dcf5aaba007262f1230dcb 308 17
Indicator Removal on Host - Clear Mac System Logs remotephone, oscd.community Sigma Integrated Rule Set (GitHub) adfe5f99b6a812a149fe86b53528239d9e7938e56d2864d1403950040a11e57b 307 114
Windows Admin Share Mount Via Net.EXE oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga Sigma Integrated Rule Set (GitHub) 816c82737c8262b4f167d02b04198105def46bd23ea282a655786d387e88118c 307 42
Use of Pcalua For Execution Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community Sigma Integrated Rule Set (GitHub) 15a88fc8b846a774c398a2350aba9d8b4203f0cbb095abb4035f8f0e2c3ca2d5 305 18
PUA - AdvancedRun Suspicious Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 75719e469ef20b32e309a7f6531a0e2548349e059e4c4d943740490e0dd8f526 302 0
Suspicious HH.EXE Execution Maxim Pavlunin Sigma Integrated Rule Set (GitHub) f011f2d580ad7a21cd2da8b72d5734b707147be0ec1270fb20fc1aa455fd4d89 302 15
Suspicious Download Via Certutil.EXE Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 58420e39c1212a7677f357957516cbc90081f03f0eff5a93e3fa8476eefebfcf 300 27
Suspicious Service Installed xknow (@xknow_infosec), xorxes (@xor_xes) Sigma Integrated Rule Set (GitHub) 7cbbf00cea5dc446cd78a75bf887ac0cc4816a0c14fb2fc31cb6c2e5043641e3 300 20
Potentially Suspicious Desktop Background Change Using Reg.EXE Stephen Lincoln @slincoln-aiq (AttackIQ) Sigma Integrated Rule Set (GitHub) ad9e20584fed7e2a67c1b21ac30b801ba17f35dfe33a1200cfcc4af157454cfe 298 94
Suspicious Microsoft OneNote Child Process Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea) Sigma Integrated Rule Set (GitHub) c2b8793bc5dc3f78c117608b17e59499e853d298dba8c03f56b4bbcd6d0c0f16 297 2
Buffer Overflow Attempts Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) ad1714ed24aec2fa28551a247a666369e496ada2acb48b02b3b266083d75e6b1 295 184
Disable PUA Protection on Windows Defender Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) 09a64c87ba1b11c75a19c495d100b0ef9fa95955560f0e1b4f9f2842159caaef 295 1
UAC Bypass Using PkgMgr and DISM Christian Burkard (Nextron Systems) Sigma Integrated Rule Set (GitHub) 5b0ad2dce2b0a9bde121d5016b3379c08f507ccce3f43e43a65fe518a16ba50c 295 38
Suspicious Schtasks Execution AppData Folder pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a09b70879bee26f128e93430015539e1b08567dd211bd7411ff6e600ed8d5f6b 293 59
Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 396c0639fa0d38dbd62b1c1baa0fae0b008178fb81dfebaf1cc70a858c610190 292 132
Set custom UserAgent and download file via Powershell Joe Security Joe Security Rule Set (GitHub) e582e78adeafd207d6a2f3d950ffcb4127273371fb705b3ef4b6930eb5bb79d5 290 2
Netsh Allow Group Policy on Microsoft Defender Firewall frack113 Sigma Integrated Rule Set (GitHub) 631a83ba9daa9bb7ff02be55784068db1eeaa6935ea10809a1b8a8cf4ce2abd3 289 74
PowerShell Base64 Encoded IEX Cmdlet Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 6011c0e706a0ea8a69892186b9808f52466832e2c60ea353b876a15100a2c891 289 28
Network Connection Initiated To Mega.nz Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) f13e798225ef1d32c44d8511ab7c95a58e93d46b8c833bfb47f55eb5d9bb69e2 286 93
Linux Crypto Mining Indicators Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) a54f90d76f6357c3494a27966d9ddc15850d9dd07fd3848ac2a031ac149bec1a 283 6
Uncommon Extension Shim Database Installation Via Sdbinst.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 813f8997c08df471ef89b590a0967a9068aaf4baa601376fcc7dc9060d98dfb0 283 108
Cred Dump Tools Dropped Files Teymur Kheirkhabarov, oscd.community Sigma Integrated Rule Set (GitHub) 45248d2871f8e9f12191effed010f35a307cc4e1eb1350ad7dd486fc07bc0bdb 282 37
PowerShell Script Execution Policy Enabled Nasreddine Bencherchali (Nextron Systems), Thurein Oo Sigma Integrated Rule Set (GitHub) 7d44a600e53e8dc468836aa200851d612b4e9d0cce60dc1cf0b2ddc30551134c 280 4
Whoami.EXE Execution From Privileged Process Florian Roth (Nextron Systems), Teymur Kheirkhabarov Sigma Integrated Rule Set (GitHub) f3863a9acecacb856747d09b6541ff99d6245853902c8785a4d4985fde12bf22 279 22
Renamed Vmnat.exe Execution elhoim Sigma Integrated Rule Set (GitHub) a94bce44672eb0c1fb09c1cec60477d64a82eb540559b6577c4370d99fbb38ee 276 6
CrashControl CrashDump Disabled Tobias Michalski (Nextron Systems) Sigma Integrated Rule Set (GitHub) de530c1426a408ae40cc5a51e752587348efab456b3dcc12204b8c47a389eb83 275 14
Suspicious WebDav Client Execution Via Rundll32.EXE Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) a2c6a7629f2d0d6b18c2ce3cddbee5522cbf1f3e6e8bcf0692c9e9393724ebaf 273 17
AddinUtil.EXE Execution From Uncommon Directory Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) Sigma Integrated Rule Set (GitHub) 28cd83ce12bf7ac57977773f55d7b8b368541555cc375faa0ba5968fd2d99a60 272 8
Outbound Network Connection Initiated By Microsoft Dialer CertainlyP Sigma Integrated Rule Set (GitHub) de4fed7747a5e6b41ac74953c16ceaec580ca5c847915817f1f7a7603b096246 272 0
Security Support Provider (SSP) Added to LSA Configuration iwillkeepwatch Sigma Integrated Rule Set (GitHub) 303ed88ac4fc55c5f589ac99388d35769e708b361f23a767523b143a6751efc0 271 102
Clear Linux Logs Ömer Günal, oscd.community Sigma Integrated Rule Set (GitHub) 4a4b8d80ea9937a6728e92b1079891255ed26e302f37e290db84bbaffc71c386 270 77
Run temp file via regsvr32 Joe Security Joe Security Rule Set (GitHub) c70694dd88c0a5a32ad8a52ef4ad97a6525c281308ba84e791661580aab19264 268 36
CoViper Malware Ariel Millahuel SOC Prime Threat Detection Marketplace c388ee7bf8678acd149ab04cc3dc6f3d923b3c2a7684f42de0c984c16de1c023 266 3
Disable Or Stop Services Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 0aefa5af3ce18645188a34cbad40ebfc008ebab07e5d5404a636792bb7023634 265 143
Potentially Suspicious Child Process Of ClickOnce Application Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 920fe62cf594dbba4b9849105e6af672ef9c197f7184586a009e3195bdd1c925 265 52
Psexec Execution omkar72 Sigma Integrated Rule Set (GitHub) 38908b57fac2bfb8f5f8466c64aa654432aa3d6f14700b122a4c4afb85f51879 265 5
Malicious behaviour on user login (Microsoft Windows - c0d0s0 group behavior) Ariel Millahuel SOC Prime Threat Detection Marketplace a4380ca308017f92e049147ec46e562ab46b9642b1952944647bb9bf85e4c95d 264 18
Remote Access Tool - ScreenConnect Remote Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 170e0c16739cbbdcf75e4053e9fa80a10dbe8a05bdeb1d83020ad37566d796b9 264 4
InfDefaultInstall.exe .inf Execution frack113 Sigma Integrated Rule Set (GitHub) f6602c9cc48a37aa44fbfc4ffe4560e8f37e1934e365a235af4ae61c9571ded1 263 54
Potential Raspberry Robin CPL Execution Activity Swachchhanda Shrawan Poudel Sigma Integrated Rule Set (GitHub) c297c796b6f3b39c781e4e772cfee6de320f223e025982fd520d4128f069085e 263 3
Suspicious File Download From IP Via Curl.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) ae613ed890bf3b871457b4c8ae4286d26be7254491c8e47c38fab809c4375d42 263 59
Potential Shim Database Persistence via Sdbinst.EXE Markus Neis Sigma Integrated Rule Set (GitHub) f228d8546016f76e5942e38208fa8a55735339d54ec3f56e63b2b9133b037a7c 261 58
Nltest.EXE Execution Arun Chauhan Sigma Integrated Rule Set (GitHub) 03ddbba7f8c72cbe2e0de21552f7f8f8a101955c12556c2bdb06219c0c968836 257 114
PowerShell Base64 Encoded WMI Classes Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 1d5a6acf8297313dfc47ed41e174ccbdcf2ac0a174e059a599f880ad761dfe89 256 1
Potential Rundll32 Execution With DLL Stored In ADS Harjot Singh, '@cyb3rjy0t' Sigma Integrated Rule Set (GitHub) 115d14851bb2ec7497bd4b28be653bf38f285d93d2dc7bbe1c9c7ac94a76da3f 255 100
RDP Sensitive Settings Changed Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) e6aa587c97733e016f1b4f6f624300aedfd416066f9b69512bd9ab43d8b81d61 255 26
EVTX Created In Uncommon Location D3F7A5105 Sigma Integrated Rule Set (GitHub) be104b5c33d23ea5b193fa207267ec1f1058e6a2096a14b67fc5c957fdb94b85 253 138
Service StartupType Change Via PowerShell Set-Service Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a1369ba6b294845b80eaa8e066a683a25e6d2cd458f78a519a4aa7cea4b3fba1 251 72
Powershell Timestomp frack113 Sigma Integrated Rule Set (GitHub) 5b5656801277c44d48ce3c9f4c8c393d55f8c0943d2c641d4968a012bd160f38 250 95
Uninstall Sysinternals Sysmon frack113 Sigma Integrated Rule Set (GitHub) 422a2d0c4ea81e0f14306603309b37fedea591abe396235a46638eedb3aa069a 246 8
PUA - Fast Reverse Proxy (FRP) Execution frack113, Florian Roth Sigma Integrated Rule Set (GitHub) 2efa94e8cb6d016973ddbda2ca94b9db0d935bf31c7d4ede736b02e9d8ed25aa 245 1
Check external IP via Powershell Joe Security Joe Security Rule Set (GitHub) 4b3ac3a4fac3672c92791075c26f1e10555eb3385628b923bccd8cbbd5dc83a1 244 38
Persistence Via TypedPaths - CommandLine Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 3f78ff7ab6850cb34de03f0d9dd46de9ae0b96b1eeb140dcda89aabc2b7462a0 244 63
Root Certificate Installed - PowerShell oscd.community, @redcanary, Zach Stanford @svch0st Sigma Integrated Rule Set (GitHub) 0226d2c44e3b81cd4d31e7a8e55f6a3e3835b44939f721d5527b610071ebf40b 242 103
Suspicious Creation with Colorcpl frack113 Sigma Integrated Rule Set (GitHub) 4a29af926d08877fafd396f3d616bf6c90064503754db0460c36b7c0dd99dbbc 242 6
msiexec download and execute Joe Security Joe Security Rule Set (GitHub) 80df93b91d026bd6faf3f28497aecc8b5a81a6553fe9336a204b11f4dcef8733 240 1
Detect Virtualbox Driver Installation OR Starting Of VMs Janantha Marasinghe Sigma Integrated Rule Set (GitHub) 3cbde0faee76f7509cfde702c1c324a83ac88cb58f0e0f74b2682a9b60369b1e 239 79
Suspicious Office Token Search Via CLI Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) d914cc65d6c2c6363da71b09c2053c49031ad5dd7762f7e08df307adf0892f8f 239 105
Suspicious Scheduled Task Name As GUID Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) ef39cf85c48f12af91e233355369755a0620b84ae2ffacce7f740a2b429531d1 239 4
Bladabindi backdoor Ariel Millahuel SOC Prime Threat Detection Marketplace 21b5ec718fa5dffa5785f1bdf68d0bab711e89bf6d4613aab3af0c7d0acdbd0a 238 0
Suspicious Obfuscated PowerShell Code Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) d8233999a8d30f6ee903ed094bc3c6fe4008a4be43a580311a9d379867e54538 238 25
PowerShell Hotfix Enumeration Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 6715493a73f1ae31ce901cd48d6907aafa006d047fa07301d790319a8ff89813 237 170
WMIC Remote Command Execution frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a72068f1e78b9563b352425ce5dd77aeaebcabfd4790a51a78cfd11d07e016a8 237 29
Code Injection by ld.so Preload Christian Burkard (Nextron Systems) Sigma Integrated Rule Set (GitHub) ef655b20c81f4dddb081e2c7fe6c60ee0ea86d7e37cdf55fe02cd0c8586de4d1 235 20
Local Groups Discovery - Linux Ömer Günal, Alejandro Ortuno, oscd.community Sigma Integrated Rule Set (GitHub) 0b93262008400f8b22d04eac398727ff17377f8b7f399741a879ed674b5940f3 235 114
System Control Panel Item Loaded From Uncommon Location Anish Bogati Sigma Integrated Rule Set (GitHub) 7558a1c97a7b2400810934778152ef86113f31961b7d88655f0384652da936fb 235 45
Suspicious GUP Usage Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) e52de558a2f45ea0c3633bf97f5181779246c0964d7003bd012f344221f012ba 234 15
PUA - Rclone Execution Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group Sigma Integrated Rule Set (GitHub) d682d09d3c15912248f0f367d755338bbf871b25380f62525ba288c8bf90689e 232 105
HackTool - Koadic Execution wagga, Jonhnathan Ribeiro, oscd.community Sigma Integrated Rule Set (GitHub) c5d484cc0502bed15307c6bcc483ba03518aaa99ca3cca09b01da3ea57317777 231 7
Load Of RstrtMgr.DLL By A Suspicious Process Luc Génaux Sigma Integrated Rule Set (GitHub) 768defcb9e242825579cefb1548499d288a81e43688bc48e91a51f9755a14106 231 5
Password Provided In Command Line Of Net.EXE Tim Shelton (HAWK.IO) Sigma Integrated Rule Set (GitHub) 356834a41f1b8ed94c954435f27d64f970ba67b17ac5474ddb8357cfbb8de8d8 231 96
Outlook Security Settings Updated - Registry frack113 Sigma Integrated Rule Set (GitHub) ad1841979098a6b76c24ea780263b9da230373dc9a0d48d841538ec02cecb447 230 123
PUA - Process Hacker Driver Load Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) b0d1bb8b34cc8998b5c64517d209194141fc1ade58d04a41bb18fd11be56edfc 230 0
Schedule CERTUTIL windows binary Joe Security Joe Security Rule Set (GitHub) 5afe0a8f1f7fbc102dbeb6382c6e3e9702f05c872dee6c8309d805831b7dbbe2 230 0
HackTool - Certify Execution pH-T (Nextron Systems) Sigma Integrated Rule Set (GitHub) 1feb34fc6cb1b6cc6e7f79cf3437684366634b5dbbdfd6e053e0f07cdecdd327 228 73
Suspicious Process By Web Server Process Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) ca0321ec695742141eb7a3fb00dfc04170d24e00d3f021803c488451d9c4648f 228 3
WinDivert Driver Load Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) b7ad594d8528d4ee4c0201b1a0852d42e9fc45976e984ed534f502290031e73a 228 48
Ufw Force Stop Using Ufw-Init Joseliyo Sanchez, @Joseliyo_Jstnk Sigma Integrated Rule Set (GitHub) 3b99cfddafbe928cbdbe1bffc59282013b9389bce664830e434b17c6c47769d5 226 23
New Process Created Via Wmic.EXE Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community Sigma Integrated Rule Set (GitHub) 29ea4c436137aafe4f4ab08ff716f2a03e416beb0802c5a009cfb266b5d948c6 225 9
PowerShell Create Local User @ROxPinTeddy Sigma Integrated Rule Set (GitHub) 065b49beca5cc42953a5612a7a5342fd18266f128a46b1a788c3f358f775a191 225 70
Disable of ETW Trace @neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community Sigma Integrated Rule Set (GitHub) d85308a28516fa075ee74a4ffd11aea2be1f15add944422ade0969027648a3fa 224 57
PUA - System Informer Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) a00758f1aca02cbafe08dfea3c9d6fc45ef3972d7e1ccc41ef3df19293c36d15 224 14
HackTool - CrackMapExec Execution Patterns Thomas Patzke Sigma Integrated Rule Set (GitHub) 4adf455dcb8e143b4df56b115b6a64714aa6d18f105e8e3d9859c02f686e393b 223 131
PoetRAT detection Ariel Millahuel SOC Prime Threat Detection Marketplace 9d199db1a634577d3f5cc20a856125c4d011cf3785ae959ddad5ca77431d81a2 223 0
Winlogon Helper DLL Timur Zinniatullin, oscd.community Sigma Integrated Rule Set (GitHub) 071f1cce27ada52da178afa07fd609ed14967f9058b386611411962f4c56b665 222 109
Compress Data and Lock With Password for Exfiltration With 7-ZIP frack113 Sigma Integrated Rule Set (GitHub) 227d06b807fcca01531502ab9bf3471b44a2e7db88394d5d03f7e07a11adc2e3 221 119
Compressed File Creation Via Tar.EXE Nasreddine Bencherchali (Nextron Systems), AdmU3 Sigma Integrated Rule Set (GitHub) 982905654574a9a7d204ef080147616dc585ddf0111f74d517a85ff94fcf04e7 221 92
Suspicious Get Information for SMB Share frack113 Sigma Integrated Rule Set (GitHub) 78af9841681cc3ae06f2b42827aa5b5f54e7e1cd67967a87cc99a5e7d4cfe18d 221 144
Suspicious exeplorer.exe execution Den Iuzvyk SOC Prime Threat Detection Marketplace 2f0a10e6befc35eb8cf3d8af89b1db1a84a53b5aff114a90c2d1b0a3a697d1ac 220 25
Change User Agents with WebRequest frack113 Sigma Integrated Rule Set (GitHub) 024c79f380ec5ead6ad1ccc07deb79a5a281021a443831220b62f700f9cfe3d5 217 96
Dism Remove Online Package frack113 Sigma Integrated Rule Set (GitHub) 835544e76c588c424d064ff04c81b644c875fe6499d31ecb188d5e3e59f4e72d 217 92
Suspicious Eventlog Clear Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a049127770d6c92e914c0806277852c3b69f5e9cc86ca0f687e50e60c12d8868 216 65
Suspicious Unblock-File frack113 Sigma Integrated Rule Set (GitHub) 71c164abf414b20e2e799e16de648202a68a8205db9f81d0dd28495ba9ce1ce7 216 111
Potentially Suspicious Shell Script Creation in Profile Folder Joseliyo Sanchez, @Joseliyo_Jstnk Sigma Integrated Rule Set (GitHub) 75fbf85188235a403847898f76531554e988c5316df1299753442fad2ee0b7b1 215 44
RDP Connection Allowed Via Netsh.EXE Sander Wiebing Sigma Integrated Rule Set (GitHub) 0edbdff715350e06427add8d168d0d14de79ec048ea17f4a243589e2ccdc63df 215 25
Control Panel Items Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_) Sigma Integrated Rule Set (GitHub) 2f683c72a6ae438b4161918b9e82bb9c7e09f701f65f85be9231ced52084f219 214 41
Payload Decoded and Decrypted via Built-in Utilities Tim Rauch (rule), Elastic (idea) Sigma Integrated Rule Set (GitHub) 8df9869d57c609e184a4e1d02d938d96351116a7e5fe08436fb539b7cb675267 212 0
Suspicious Download From Direct IP Via Bitsadmin Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 341222e0eba20f3fbf807a78669d6bd5ab3f6245589b85086cece2a9518283ca 212 21
HackTool - Empire PowerShell Launch Parameters Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) dae7277357ad237d5dfceb985bdbbaffa777a494f5cab14f067003795d395650 208 2
Obfuscated IP Download Activity Florian Roth (Nextron Systems), X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) ffc754712d43996d8ad6fc8498ab7057e29da0a46860be0cb0daab6dd58f1afc 205 38
Schedule script from internet via mshta Joe Security Joe Security Rule Set (GitHub) a3c2a24a999f3a9870f6ace27e73e7bdf30d18dcf0bc4873bfe196f5bec81ad4 205 0
Valak Behavior (Sysmon and Cmdline) Ariel Millahuel SOC Prime Threat Detection Marketplace 7703b5b01adde91ddc9f6ec5a2ba30dd35be11277cad519ecdf5442a8358319f 205 32
AADInternals PowerShell Cmdlets Execution - PsScript Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 6d5567356ba0845cc4858843f110d6459b2d79576a5e0139dd7b2218b9f556e8 204 195
Remove Immutable File Attribute Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 317e93721a5522556a572030086fc84621a557cc5edeccf22ab7af63689a5661 204 31
Remove Scheduled Cron Task/Job Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a0e343af9ac4b19a8ff9f0cd81d30a29e473fb0938c05d141f74e93d6b7d8f83 204 19
TAINTEDSCRIBE - North Korean Trojan (Hidden Cobra) Ariel Millahuel SOC Prime Threat Detection Marketplace 97f6a22231c4c8e243c104bf226d8fd3875f335f00fc724750e6b691770fbc5a 204 113
Nohup Execution Christopher Peacock @SecurePeacock, SCYTHE @scythe_io Sigma Integrated Rule Set (GitHub) bad6dfec2abf828a85fe50bc6fb16600e7090a7d73658e2ae431aec1555bcbec 203 97
Renamed Whoami Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) f22be736aa7b4ddd0d6ce96e785fbb7adbcb991517763b72a098333df9610f14 201 6
Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE frack113 Sigma Integrated Rule Set (GitHub) 2291b42b147dc3089126be94f1bf34506fa822ea41904e0632fbe519dd3799a8 201 12
Uncommon Child Processes Of SndVol.exe X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) ae29aa8c58d6f592b709707a80042a957eb54a89d6411f1fe9b6bf12bd4f225c 200 0
Flush Iptables Ufw Chain Joseliyo Sanchez, @Joseliyo_Jstnk Sigma Integrated Rule Set (GitHub) 7bad36edd1846bfc2bf6f4e3318e8d1794ee3eafa59a025658cecfb8bde246f3 199 14
System Disk And Volume Reconnaissance Via Wmic.EXE Stephen Lincoln `@slincoln-aiq`(AttackIQ) Sigma Integrated Rule Set (GitHub) 3b87c918c891cc71875e579ccec1db6182cc5e8577cc337cd77a54306f24aafc 198 64
Forest Blizzard APT - Process Creation Activity Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 4c5a7a616317db46375162adc01d0e6f2e45615cc5d2a4b5124d3452a8c4553b 196 59
DarkSide Ransomware Pattern Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 5c4ba608ec7db931a6491db14857b098a88caf78b2c28087f16fa4aeeb05c8d0 195 3
Suspicious New-PSDrive to Admin Share frack113 Sigma Integrated Rule Set (GitHub) 9b5bc7e38efe4f1b17f2a923ca4fbbd1303baf2899f224b7e40278aea60cfc64 195 76
Disabled Windows Defender Eventlog Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) d8e5c8a4902824901a6b91baa07694ac8ea9e13689cebd342572a8b546bad5bc 193 2
Potential Powershell ReverseShell Connection FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 1b46ecd9aa9660208e7f7cbb3e4ad79d7fc469adb5c2c5dc81af712ebce9b80c 192 16
Application Terminated Via Wmic.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2db6346fec29f9d33fb9a84eeb0843c8dbb41e4c167ba165566d4a1f5b9c921c 191 51
Delete Shadow Copy Via Powershell Joe Security Joe Security Rule Set (GitHub) d91fb994dcf44dbdd52950e6db5cdf99eba912926494deb2f92f3f2dbf232740 190 0
Suspicious Epmap Connection frack113, Tim Shelton (fps) Sigma Integrated Rule Set (GitHub) f7111a6bcb3ca53bd2233e4c87e194a56653dc72a81d92c78e707b7348c4f241 190 10
DUNIHI Malware Ariel Millahuel SOC Prime Threat Detection Marketplace f4f15f4329fad912838474d3d5eb2925ae7045b2046b5dcf92c7c16c189927b5 189 0
Potential DLL Sideloading Via ClassicExplorer32.dll frack113 Sigma Integrated Rule Set (GitHub) 8fd7600f68e8c01123815959e3b174b06eb3794d62cb511c05e49548a44bebf2 189 46
Use of Remote.exe Christopher Peacock @SecurePeacock, SCYTHE @scythe_io Sigma Integrated Rule Set (GitHub) 598030e3b99748bb98e1a8c78a24023b80499c1526fd7b7719b5265a781b5402 189 66
MMC20 Lateral Movement @2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea) Sigma Integrated Rule Set (GitHub) 047087ddae3ef4f27e871131c79addb166cb71593c4fb795a5d119d4d78cd0a7 187 5
System Integrity Protection (SIP) Enumeration Joseliyo Sanchez, @Joseliyo_Jstnk Sigma Integrated Rule Set (GitHub) 7cac7de2df55c2e3a6ea2825dc0a8ee65b4fa8c5e20a648776883eef5ed47cc4 187 155
Command Line Execution with Suspicious URL and AppData Strings Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community Sigma Integrated Rule Set (GitHub) 0585dd5b67e1bced48ad1dc8f9e0b66fd4e44c6e7c14dd5b385950c97e15b768 185 6
New Port Forwarding Rule Added Via Netsh.EXE Florian Roth (Nextron Systems), omkar72, oscd.community, Swachchhanda Shrawan Poudel Sigma Integrated Rule Set (GitHub) 00fb9d21500af7c2b136a91e80c983e8f98843c063a63898c2775d7a5a91efa9 185 14
Shedule hidden powershell script Joe Security Joe Security Rule Set (GitHub) 9277300d8dfe7cfc29e41129553c4d7c59c4b709d4b1716c8fe9cc037c9bc29d 183 10
Suspicious Curl Change User Agents frack113 Sigma Integrated Rule Set (GitHub) 93f12e3e5c1af45ad5cce51fca771889beae9d1da27d23d889c557f217fc803f 182 6
ClickOnce Trust Prompt Tampering @SerkinValery, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 0074b65628de8c068abdf29904b82da56361668862472dad4f92969c6bee1cf5 181 178
Odbcconf.EXE Suspicious DLL Location Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 16ea31e234af1f8991ca97669b5681616ecdd409eacb4c3b0b4e2cc3febfd702 181 41
Persistence Via Sudoers Files Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) f8ee3ba4187b3d0d1e52e0c2db8dd9b1bca93d09c84da45024fc646b37179ae9 181 9
Suspicious SSL Connection frack113 Sigma Integrated Rule Set (GitHub) 862ef09072518dbd7b5900500c4908a6284ee88f03b45ad0c0b20f3eb495f645 181 6
Potentially Suspicious Child Process Of WinRAR.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 3403fa242d939f60babe764c3b8083029e83943b7f7347ae53b880b8fdef114c 179 1
Active Directory Parsing DLL Loaded Via Office Application Antonlovesdnb Sigma Integrated Rule Set (GitHub) 6691a047173376a6c37e4a5a5a2ca36610041e928c2900eb7665491f798ff07e 178 107
Possible Process Enumeration (Sysmon/Windows Logs). Roman Ranskyi SOC Prime Threat Detection Marketplace 1b3947466060dff55a89da9e24ec34cca8df9c4dbf704a3b3a9120eb3df96e3a 175 107
Download File To Potentially Suspicious Directory Via Wget Joseliyo Sanchez, @Joseliyo_Jstnk Sigma Integrated Rule Set (GitHub) c14acc44b7a21724d221a1ace54effc332427d0340619e20a9dc8a66cec01ec7 174 145
PsExec Service File Creation Thomas Patzke Sigma Integrated Rule Set (GitHub) 2638e4eb6733f565f75759fc7f3c7b2ce2d92f7a231f14859cad11aa82b929e9 174 13
Potential Azure Browser SSO Abuse Den Iuzvyk Sigma Integrated Rule Set (GitHub) 08cc3358fc66df84bafea574255088ebf9e6d0b56cc08317abc1bc31f94bab4b 173 74
Powershell downloading file from url shortener site Joe Security Joe Security Rule Set (GitHub) f05d1fcd81ae053d34629eef4e2f082dd51622b2535713f47860649c3619d085 173 49
Base64 MZ Header In CommandLine Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 754e38d8c28a41c5d8fab94446819cba31374961a938b11c2766647ee5dda64c 172 6
Potential Suspicious Mofcomp Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 890b5bcddab8d41ea499e521d3dabfb62f66e175c7e5968407080b5c7a4f2aa8 172 104
Hiding User Account Via SpecialAccounts Registry Key Nasreddine Bencherchali (Nextron Systems), frack113 Sigma Integrated Rule Set (GitHub) c5763f84925887a9d36054776ddf6d48e47d552ec2e7fed586026049488c127c 170 50
NetNTLM Downgrade Attack - Registry Florian Roth (Nextron Systems), wagga Sigma Integrated Rule Set (GitHub) 5bced7470eb37ada15efd448b0a87615727c93557e648e225c3ee894c4b0ff08 170 22
Potential Webshell Creation On Static Website Beyu Denis, oscd.community, Tim Shelton, Thurein Oo Sigma Integrated Rule Set (GitHub) a52a436bb2117d8c22878afc1facac963ffa5feca0046433c94396c44991c948 170 95
Suspicious Extrac32 Execution frack113 Sigma Integrated Rule Set (GitHub) 22466d36eb86be8a2f88344d2ad8707352f79b184489f7bc14547bcc6c82b9c1 170 70
PUA - Seatbelt Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) c38f8f9eadbe19471d3a16edc3057b1660a29e4b74e90fb2ff929df10c440a40 169 3
PsExec Service Execution Thomas Patzke, Romaissa Adjailia, Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 6ce71be75a7090fc85bf7d41e3b363a7a4dce58549844db0c3e5d9d3b32a3e0e 169 6
CARROTBAT Malware detection Ariel Millahuel SOC Prime Threat Detection Marketplace 5244e0d5e7e39e2209c4a02fd25867f6008966d611f19da634de6505358c95a6 167 3
Suspicious Hyper-V Cmdlets frack113 Sigma Integrated Rule Set (GitHub) 62e075896842e5b2072a0b1610a9995667d1edd599e21657ffe829aa871cc56d 167 125
Potential Iviewers.DLL Sideloading X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) 4a3ab15f0d9e71b31849c630b42e36683c5269c2ce71c8042193fc224000fd25 166 7
Potential Recon Activity Using DriverQuery.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) c887795f89a95940c21235ec7fff122040bc4c53b14e9a9ba700193f3a7db228 166 55
PowerShell Credential Prompt John Lambert (idea), Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 3673ff480d9b6da69d58b49cdbd4653446b39552e94717447405039cbb476c09 166 112
Service Started/Stopped Via Wmic.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2e3d78c5e41e6de41cac9e7f1872a39a27300e4078b7a403b7c6d4f0ca96daba 165 22
Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 6a048234462e46cb2ce5b49006ff2d3e6f3a58ef583716ceaf74d911b04c1a85 164 134
Saefko RAT (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace e036021928c6159521691ec6551a2b2c660a651ff2c69171bb3db4fc676b2e17 164 0
Harvesting Of Wifi Credentials Via Netsh.EXE Andreas Hunkeler (@Karneades), oscd.community Sigma Integrated Rule Set (GitHub) 9d07a4fa9892ca001b30724fd1594eff85b72585c8f1106889da7e97608509b4 163 12
Disable Security Tools Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) d934cd2adbdfb7c12ed5f937e36ed253d3f53495f0194507c0ea80b55f983957 161 49
MZRevenge Ransomware Ariel Millahuel SOC Prime Threat Detection Marketplace c5132d9b7ddc56b36fc0095350bd8556ff7fc29c750387be3e0344beddf41f7b 160 81
Schtasks From Suspicious Folders Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) afcc7387bfcf1a39c26eb91bc6b000368dba233e0d6405a1ed3dc8b8e436f18e 160 76
Windows Firewall Profile Disabled Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) 489692e72dc0017d68cdd2188f43e162f46de9955dce51c32323345919b76b0e 160 43
Windows Registry Trust Record Modification Antonlovesdnb, Trent Liffick (@tliffick) Sigma Integrated Rule Set (GitHub) 9292d14bdf79582c701fad33de8f018f0151bb6acfc181fba0dd5d223cee498c 160 58
WMI Event Subscription Tom Ueltschi (@c_APT_ure) Sigma Integrated Rule Set (GitHub) 07b95c7eb376ac65a345dc6a2c1cb03732e085818d93bd1ea2e7d3706619d78e 159 25
LSASS Process Memory Dump Files Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 532253e22b4c2a6410e693838434b30d959a9ebc0c04a0c861eeb9d593879009 157 5
Kill multiple process Joe Security Joe Security Rule Set (GitHub) 868e81758b31ab7d5c37adbd3798dbc1effacb9eeaad44e5f6c5f41c409fb786 156 1
Pikabot Fake DLL Extension Execution Via Rundll32.EXE Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 1d2e7f69856c6eba054ab2d9b33d6e18e37f32395e2ec959833d093e0f329e64 156 30
Schedule VBS From Appdata Joe Security Joe Security Rule Set (GitHub) b16d941c7cf2248881a4d3da266d63655713389cafe7f2606ceb2b73fbace067 156 30
Local Groups Reconnaissance Via Wmic.EXE frack113 Sigma Integrated Rule Set (GitHub) 386f2bc7492f0e981a3ff4d07a1e865250fb5f4de55f43a70e9ca3e91bd61e31 155 17
Potential Suspicious Browser Launch From Document Reader Process Joseph Kamau Sigma Integrated Rule Set (GitHub) 4cf2765db5ac9cff670057e7a2ff51a5921b05f5510beec491c0e15534d9a619 155 70
Schedule binary from dotnet directory Joe Security Joe Security Rule Set (GitHub) 3c44dc412b67786cb131e2f723dbcfd035125eb3c04b66bc8baf4a7efe0ac581 155 0
BackSwap Trojan detection Ariel Millahuel SOC Prime Threat Detection Marketplace 6cf0858071345dfa209de5be9510786314771819c7ae412dbfe82b134cb3697c 154 2
Suspicious Workstation Locking via Rundll32 frack113 Sigma Integrated Rule Set (GitHub) 7077cb988db6f3b9dad54bcebad8cd59c0e62dd4b3f4f99d281d5e2b721c92bf 154 59
credwiz.exe DLL side loading Den Iuzvyk SOC Prime Threat Detection Marketplace d83f2abd95409ecc8fb4d4930072a48b4a677def3d31b022a95e99d5873fc27a 154 32
HackTool - Rubeus Execution - ScriptBlock Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 98b35d6064ab9d23d69cf136567c9243c969bd5a1bf0f88f94c768bb1c624d71 153 3
Active Directory Group Enumeration With Get-AdGroup frack113 Sigma Integrated Rule Set (GitHub) 2363089b66b3f43001c4d30a1a0d4a7a622db02c1b8f68a3aa3be7c674be645f 152 112
Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script Tim Rauch Sigma Integrated Rule Set (GitHub) 3fad126ae93b8bb078502d36cb4e234c89c2539784bb1f8e446e615d3f54c186 152 4
MZRevenge Ransomware Ariel Millahuel SOC Prime Threat Detection Marketplace 34b4fad92956929789617ef0c367187e5950267fc9fb902893bf5a6583ab5439 152 0
MsiExec Web Install Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) c56598b1a4dc67703e332a7df820b31b6690ea40d2352aead9f77f441f6f5b2d 151 7
Potentially Suspicious DLL Registered Via Odbcconf.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 391646c8321e490960603a2b21d983579e26c6c48aced031950d46bf9cbc4799 147 40
Custom File Open Handler Executes PowerShell CD_R0M_ Sigma Integrated Rule Set (GitHub) e441ec55e6c79f736b37301c124beac89f633c990d45a175da5e134af80e91c6 145 14
PUA - Radmin Viewer Utility Execution frack113 Sigma Integrated Rule Set (GitHub) 656b04cfc858a6fe2bf9dd2c3fc9b7beef1f30399b5817f0ad3a3862463f3783 144 2
Potential AMSI COM Server Hijacking Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 738acd800035a9376f9c5ed9937f647fdc87ccefc57ccd0fab07a3fc108fa255 143 28
Potential CCleanerDU.DLL Sideloading X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) 5009a283b0a4eb41a0b527ce473a2e7865766f8bcdb943ddebb06bc75f1c479f 143 88
Renamed Jusched.EXE Execution Markus Neis, Swisscom Sigma Integrated Rule Set (GitHub) 395d81f2cea49ebe846ec75b230f6e7f8ff1541f56a65ee0ca6336a3730a5af3 143 10
Winlogon AllowMultipleTSSessions Enable Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 4727efa76db9ecb53c0dd7505b171422c948b4b68999ca9c8f1a47f11a387ff6 142 9
Request A Single Ticket via PowerShell frack113 Sigma Integrated Rule Set (GitHub) 7b7092f37f648c00a538947e2cb178b5c50e31e552b8bff8251ffaf4d4e49a68 140 13
Potentially Suspicious Ping/Copy Command Combination X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2dc5d25da9f75ae324bd1ef4e2e4fb2084251a622beac794700223e8c20907a3 139 0
Security Privileges Enumeration Via Whoami.EXE Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) a9f6af870a74ed20bfbc784983dc7fa8aae28d336e2f79a8fa8b72c32d6a9fa0 139 43
New BITS Job Created Via Bitsadmin frack113 Sigma Integrated Rule Set (GitHub) 1bd7a375097c5f1afa59522776e79bf741057e59bdf9df33985fe7db095c655c 137 46
CodePage Modification Via MODE.COM To Russian Language Joseliyo Sanchez, @Joseliyo_Jstnk Sigma Integrated Rule Set (GitHub) d24e5c8054aafd6a688f580d314146106d7ba097d4f9bb630c6ca4f260c4f712 135 0
Commands to Clear or Remove the Syslog Max Altgelt (Nextron Systems), Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC Sigma Integrated Rule Set (GitHub) 82fe97976c538cbc804bd324c0c8e95c4df77ed62a637f5e1d33dd2d9c9b416d 135 4
Password Filter DLL Modification (Sysmon Behavior) Den Iuzvyk SOC Prime Threat Detection Marketplace cdcaebb2c5505eed7b1cf8cbaff3316fe62d1be1354a3d77d6e25bca67c753d6 135 75
ScreenSaver Registry Key Set Jose Luis Sanchez Martinez (@Joseliyo_Jstnk) Sigma Integrated Rule Set (GitHub) 6e68f5c105dfd23d227bb84e1d2fc8eda9de15b7826b6c74dcee7913742ea06a 134 56
Wake-On-Lan Joe Security Joe Security Rule Set (GitHub) 7695d2af7ecb7540baa69cd6442745f2c3bdd83d21c904b7a09b2d560c123439 134 2
Insensitive Subfolder Search Via Findstr.EXE Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) fc0dfa66e10e89529136659b68704c27d9c50955795ed4bd4fb70b8ff27a2cdc 132 77
Internet Explorer DisableFirstRunCustomize Enabled Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) b5977f01764dc3b0e2e3b7592943fc4bb6b4e55d5fcec607c905ea26d222e9c6 132 16
Commands to Clear or Remove the Syslog - Builtin Max Altgelt (Nextron Systems) Sigma Integrated Rule Set (GitHub) 9a49b4476704bd301f2c0b13c87316f7e92aef899ef21b8e3f6db3c943390df6 130 3
New File Association Using Exefile Andreas Hunkeler (@Karneades) Sigma Integrated Rule Set (GitHub) 3616394136d97f22be2d8a0718627a44f64289b519a8ab455bef574a2a43961a 130 2
Fsutil Drive Enumeration Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' Sigma Integrated Rule Set (GitHub) 29dde5587c090e85fff677c9d2643ac2deba99c10c07e68a2e71407af9991486 129 38
Pass the Hash Activity 2 Dave Kennedy, Jeff Warren (method) / David Vassallo (rule) Sigma Integrated Rule Set (GitHub) 1e58f3b3a12845dad6be8befe76f8a0368d994ad5b069e672ac85d329bf336ed 129 2
Potential Persistence Via GlobalFlags Karneades, Jonhnathan Ribeiro, Florian Roth Sigma Integrated Rule Set (GitHub) 94ec0949b00016f88171e5d46125aad5bcbd3980d50085c2ae009dcd34e39190 128 19
SoreFang Malware (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace ef69867dec66e047e8894803bca76813e63b7a2f0d2bc6938e903f4accf5ae76 128 47
Port Forwarding Activity Via SSH.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) c815b3703c48114366c7be5b543fc8851073e1b27fde789d784a09a657295a9d 125 24
Abusable DLL Potential Sideloading From Suspicious Location X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) 566d4ee50b2fbe8a5d724a630f1f5eedae86a015b59b83014a6e8612339d8523 124 9
Malicious Base64 Encoded PowerShell Keywords in Command Lines John Lambert (rule) Sigma Integrated Rule Set (GitHub) 2741e38c5a55999659c8e2ffe6365a21db8ec070e03a5a2f78326209ada99b63 124 3
Potential Goofy Guineapig GoolgeUpdate Process Anomaly X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 3de373579cf42d786c41c5e8a743ccfd4b7b5dc392778d033e34cb2284045399 123 0
Creation Exe for Service with Unquoted Path frack113 Sigma Integrated Rule Set (GitHub) 3b925709ef1196fbdf20c495c5a7972944bd56a4ab342009ef41e3f3273c15af 122 0
File Encoded To Base64 Via Certutil.EXE Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 1b6510b58b9f16b947f9e665c0a3f3902f2d51f54d01596eb9545d8fd6631aa1 119 16
PowerShell Module File Created Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) ac9471aa53e0850fa4b5f9ae701b9d20783d5f3762aa950efee3d94d5f862283 119 76
WSL Child Process Anomaly Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 39a511112093810c2b82b35c4c8575b0f249dc7b9e8631fe75c6481c5c7e2658 119 0
Cloudflared Tunnels Related DNS Requests Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) eb3d787705736430a92c127b22627ce5de4f5d421899962446a84013018022a9 118 21
Gpresult Display Group Policy Information frack113 Sigma Integrated Rule Set (GitHub) fdd0ef0378b9c7a67394fe97fcd782578201d6012af812d4f19483149704a866 118 38
Qakbot Rundll32 Fake DLL Extension Execution X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) b67830e1ab8ef95eab597f2514e4e830d57cd5b3070020fe62fb7a33c5c9a514 118 6
RDP Hijacking. RDP port changed. Den Iuzvyk SOC Prime Threat Detection Marketplace a917e763c89ea31922fe3dede8cc03c807a8b52f1a6f9eb0152291fea14c9416 118 9
Wusa Extracting Cab Files Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) fb45aeb08550a3b51cede01e424c60a35987f3cba89d7a2e08d5783975154bda 118 10
Wusa.EXE Executed By Parent Process Located In Suspicious Location X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) 8a6cc2ec2dfed9361b49f2176c76b8d649124a8c438e3f14104c8ffc82685cbf 118 24
PowerShell Profile Modification HieuTT35, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 25ba0fd933ae7d522dfbe81f445736e4bb4015e2ab0ce76d436c139485e79e2e 117 75
Procdump Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) c3f48ada664e96b916cbb2ed88c7f622ced143f3f9e2c039bd4516f81e1c1e4a 117 74
Suspicious Outlook Child Process Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team Sigma Integrated Rule Set (GitHub) b05b4cfe9fd991fdb7151994946888d5558694fb5cd0726cb437ec39e393a597 117 2
Register New IFiltre For Persistence Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) ee0912f0124b2509a7672d8c5478428150f436ec04279e2240e1b457049eae5b 116 28
Testing Usage of Uncommonly Used Port frack113 Sigma Integrated Rule Set (GitHub) 45fddb986c296e8a5cc65d9e7d93b5666adb505378e865f501b8a9946a4cc8fe 116 71
Vulnerable Dell BIOS Update Driver Load Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 10577bdb5cec4b94b7c1d5ddcb04041555da105e51850313907d995a05c68dee 115 60
File In Suspicious Location Encoded To Base64 Via Certutil.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 01705d905ff73214a70aaa5cc788cda6fa3195220319780605c2ba2c7afdacd0 114 12
Lolbin Ssh.exe Use As Proxy frack113, Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) 2055166f6099144ebb73ce53abe7aadcd74447fb30806756d8fe22ac92352f1d 114 29
Suspicious Execution of Shutdown to Log Out frack113 Sigma Integrated Rule Set (GitHub) 3970bd95a88d05869fab2e89b8b02fda81406f83ecd9e197b1249a06a3f8eb62 114 30
System Information Discovery Via Sysctl - MacOS Pratinav Chandra Sigma Integrated Rule Set (GitHub) 6b439e7ab03962ceecf94adcefab3b39b7b2a4aca37d37cc79113e8276df9c9d 114 107
New Root Certificate Installed Via CertMgr.EXE oscd.community, @redcanary, Zach Stanford @svch0st Sigma Integrated Rule Set (GitHub) 7967f7ab83c7127d55911fc713e9a9bd4d66a313b85fc76a5957a7666db29e34 113 20
PowerShell Logging Disabled Via Registry Key Tampering frack113 Sigma Integrated Rule Set (GitHub) e08c8016940ec5fbedc1d8b08fff3fb1c6bdf197e8fea3c4fbceaa55058f07a3 113 3
Powershell add exclusion path, extension and process Joe Security Joe Security Rule Set (GitHub) 177e7b167f988da0ec82090f6aaaa1ad7e74609b6832a0abb8759bc9e652fee2 113 1
Powershell create lnk in startup Joe Security Joe Security Rule Set (GitHub) fd5c77e4a6ca9deb325d7525e8219d80cc70e6bbf765e2d75ab4f30f6be7cc9a 113 7
Linux Command History Tampering Patrick Bareiss Sigma Integrated Rule Set (GitHub) c5903ffafd80f3200d3223dd44f4e4200331a8bfef040c23fc1812186018c6b9 111 27
Malicious PowerShell Scripts - FileCreation Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein Sigma Integrated Rule Set (GitHub) a76fa0f689961152a23aa5f209a6af1314317a976fc0ce87fc515430cd043c5a 110 15
Deletion of Volume Shadow Copies via WMI with PowerShell Tim Rauch, Elastic (idea) Sigma Integrated Rule Set (GitHub) c7ad5ab5203e14414fcbfb23542125d64b7aca04b7afe48d594ecb9b7c117ec3 109 0
PUA - Chisel Tunneling Tool Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2d130c854a78ff4630994ab2107c3a8b18cc55785432c30b32d253f1c219289a 109 2
Potential Arbitrary Command Execution Using Msdt.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 96f35178aca93f73311713ffbcade7354646a1facaf7c2fce0201147d4b4b5c0 109 1
Potential DLL File Download Via PowerShell Invoke-WebRequest Florian Roth (Nextron Systems), Hieu Tran Sigma Integrated Rule Set (GitHub) abaf76ffe44f9fecc068eae92c53e3c5c4059258b40f40eafc69759c4661d667 109 20
OS Architecture Discovery Via Grep Joseliyo Sanchez, @Joseliyo_Jstnk Sigma Integrated Rule Set (GitHub) 1a3577e67f806b29ef2a52975305c90e5a28597217567af774c26c0bb29a837f 108 56
OneNote Attachment File Dropped In Suspicious Location Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) afd9349ba03eb1032e975c339bf0a626bd6fa3cf66270e4bac353a102c07848b 107 74
Outbound Network Connection Initiated By Cmstp.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 3ee0f25c3d0b70476bccad0e57a0351cf8822d966bb558a9a49836dccbc9fe41 107 0
Potential Defense Evasion Via Right-to-Left Override Micah Babinski, @micahbabinski Sigma Integrated Rule Set (GitHub) 8c9d950be3588ee779f57d3c33f03abbaa5ab145cac1a897bfa816cd0745a1c9 107 2
Use of TTDInject.exe frack113 Sigma Integrated Rule Set (GitHub) ce2c1d30a6032c8bf814508ea0142036631b7b690cff7d809dfac541ddf4c01a 107 32
NTFS Alternate Data Stream Sami Ruohonen Sigma Integrated Rule Set (GitHub) 535b54123e1e90e346eb48779d2bdc19508f9a3aef7f7cf48bddbbd43f953478 106 59
Root Certificate Installed From Susp Locations Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 99ad87050a603d266b14f9d38b78913daa61c2b7dc6b1441427d022050ccc8b7 106 4
HTML Help HH.EXE Suspicious Child Process Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 03c63f09ca0da10cdd578a2b9318266b2f2ac550da5b256d00ce4c0cbbbedda0 104 7
Potential Obfuscated Ordinal Call Via Rundll32 Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 7bdb12eebdabf1b207f0dbcb9c1b6b22d47d6d42e5ac4839dc0945d338faf27a 104 3
Suspicious Csi.exe Usage Konstantin Grishchenko, oscd.community Sigma Integrated Rule Set (GitHub) d478344c6645595e8636745bd5f3fcc68955c4777726aba466ad93f133453add 104 90
Certificate Exported Via PowerShell - ScriptBlock Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) b1cd37588678d9d180fae5e3ac98088d0fb94bcf137b0f6b423ba503b9c48334 103 87
DarkGate Joe Security Joe Security Rule Set (GitHub) dfc9dcb8ede2865dff1a44cb75938a2bc7fdc4d1e1df42cbe2d0cbc6472da1a1 103 0
HackTool - Bloodhound/Sharphound Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) cfc47087b4c2d98cee5d80b1383b55212d8fe298ebc880e15c894f55123fa95a 103 7
Potential AMSI Bypass Via .NET Reflection Markus Neis, @Kostastsale Sigma Integrated Rule Set (GitHub) 4f48e177e42323bad59a64ab7de8ad6105458dbcdbb255b095f3c17aa618478f 103 3
Sysmon Configuration Error frack113 Sigma Integrated Rule Set (GitHub) 1cd7d30672aa97bf7ad987f1430427c4badcaf9359b200f28071d8b243834f07 103 11
Add SafeBoot Keys Via Reg Utility Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) d0f01e5bb13e8ce7a78203105d6c6fd359d6150767bbbfa4de80faa61bbf2099 102 43
Ramsay Malware Behavior Ariel Millahuel SOC Prime Threat Detection Marketplace 9a24e548df204cab86a6489b32a696d4f00e8933893536c518bc73e457c7f3a0 102 29
Suspicious MSDT Parent Process Nextron Systems Sigma Integrated Rule Set (GitHub) 22974e8b759cb4125a56f2d16e37f8fa3020d7ae087aad754afe46386ea694e0 102 55
New Remote Desktop Connection Initiated Via Mstsc.EXE frack113 Sigma Integrated Rule Set (GitHub) 257b13d5b7127756fd3872ae69c87afe430e3a8d7933cef87a19e05fc1658d70 101 30
Potential EventLog File Location Tampering D3F7A5105 Sigma Integrated Rule Set (GitHub) 69c8a912add6ff74c81727a758b844925127c8257fd99143e46ba28f67a29517 101 63
Wusa.EXE Extracting Cab Files From Suspicious Paths Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a3bdc335aeefb2b18bcd061bd2c29809fd034b8ebaf07e3dc6c94af5ff27b7f6 101 0
DLL Loaded From Suspicious Location Via Cmspt.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 7fde3c5ae3c028a596ad8a76eb1a4b7ab0f64f939f847ef0f25f723659fbae8a 100 1
MMC Spawning Windows Shell Karneades, Swisscom CSIRT Sigma Integrated Rule Set (GitHub) db1e0cf723dcd4169ac8bc1fb3f0679715ccb323d3a3e42e23cc811efa0d9e98 100 4
Potential Suspicious Windows Feature Enabled frack113 Sigma Integrated Rule Set (GitHub) cdcec55ed90affa3868db81d308f5a76204c51b717f1cd5ba3c9feee5ce926ec 100 22
Powershell Local Email Collection frack113 Sigma Integrated Rule Set (GitHub) 7a8c60222c9d0320cd13f6c3e00c4279e2961daa1560bebf35dfe8f0de4387a4 100 43
WMIC Unquoted Services Path Lookup - PowerShell Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 420c9214a5aa1f50a2a85504e221b82931637956daecbfebfda630bb7c586f60 100 59
Data Compressed - PowerShell Timur Zinniatullin, oscd.community Sigma Integrated Rule Set (GitHub) 1ea6262b9839c6f8aa32af503fb227a46a6f22b4778711e1a64f62b102e43a3e 99 49
Potential Persistence Via Netsh Helper DLL Victor Sergeev, oscd.community Sigma Integrated Rule Set (GitHub) cfb3049a2fd55cd1ff6721dc9b502008c4449922474c40b20b8f6fab4f51ce02 98 25
Linux Network Service Scanning Tools Execution Alejandro Ortuno, oscd.community, Georg Lauenstein (sure[secure]) Sigma Integrated Rule Set (GitHub) e34284bbb0ad4c302ba9dd1fde4f2de41f24db62c0b7bbd57804d77d81b02119 97 82
Enumerate All Information With Whoami.EXE Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 746ffdc60cc4e7f5b9ace4026da8fbc6a009bb58f285f72d6c62cd9b9f2c867b 96 20
Linux HackTool Execution Nasreddine Bencherchali (Nextron Systems), Georg Lauenstein (sure[secure]) Sigma Integrated Rule Set (GitHub) 86323a066135586878b5ad6ed6ff2638ee0808cde3808480271dfac95b04807f 96 43
Malicious Windows Script Components File Execution by TAEF Detection Agro (@agro_sev) oscd.community Sigma Integrated Rule Set (GitHub) 1aed5dfd628d749d7b679eefe579532b3ff3ca46fecf65776910e7de7aaa6148 96 4
PUA - Ngrok Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) c2e9abacba241e42d67c8d6ae1523533d3cb9769cf7315d401744e4266f91ffc 96 25
PUA - Nimgrab Execution frack113 Sigma Integrated Rule Set (GitHub) 91bdf8703cfbad287d4568a09b53790b20efdead5896d044bccf4d80efab7970 96 0
Uncommon Microsoft Office Trusted Location Added Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) e2890486c08a6306f0ed3294555a371fc9af6989a617f720dcd5d85002823cbf 95 44
Deny Service Access Using Security Descriptor Tampering Via Sc.EXE Jonhnathan Ribeiro, oscd.community Sigma Integrated Rule Set (GitHub) 4e8b6e96f08290c2d17de56622ea6ab96e4e69ac05b74c3f70d52ed74f859533 94 44
HackTool - Covenant PowerShell Launcher Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community Sigma Integrated Rule Set (GitHub) 2957c0808592ab632134afd63650be8c47697a8350bb5cb19a8272b9da595777 94 6
Exfiltration and Tunneling Tools Execution Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) 6ba70df29bf2469a0e7931226da06a144c5e9044543a14e1fae2bcd6c17f9374 93 33
Removal Of AMSI Provider Registry Keys frack113 Sigma Integrated Rule Set (GitHub) 29e103486311c7c5f253e500ab6386c2aba984cb782efe903a88f082d3f70254 93 8
Suspicious Process Created Via Wmic.EXE Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 97abad7c8edb5cdf286b45712f14b577d1653fa738d3d330a0473a1d48e5aac4 93 6
Windows Firewall Disabled via PowerShell Tim Rauch, Elastic (idea) Sigma Integrated Rule Set (GitHub) a0a3572f7e566559cfcfc8970108fc01b0ad35103e76b5359955ed4c7d4ac60e 93 6
Autorun Keys Modification Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton Sigma Integrated Rule Set (GitHub) c654002dc2859e8a2f74ec87ad6ff4deaaf0f42f99603aa964e30ed1b1f01cc1 92 1
Powershell launch regsvr32 Joe Security Joe Security Rule Set (GitHub) 59bdcb50161e15e215ceab8d779ba112cc633a8bde418fc87d450d05d5e78a78 92 10
WMI Remote Command Execution frack113 Sigma Integrated Rule Set (GitHub) c63cb58172dccb53cf9cd1dd7f6a65cc8843987d003bcbb7b0c1e7769c3821c4 92 21
PUA - NPS Tunneling Tool Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 9b4f9dd1295bf299dba100d2a75a3f7188ba51a90dda3e0bf371708f55a40507 91 1
LOLBAS wsl.exe (via cmdline) Den Iuzvyk SOC Prime Threat Detection Marketplace 55bd30964b2c80cd229425cd10828e1b7c89462547581eb0c4a907c55c87f0a6 90 0
Office Macro File Download Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) aaba58981e0428da3913c964606d7609d2f2b2553131eb76cbc3b1fbc611008a 90 63
PUA - Advanced Port Scanner Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) fb482f5fd709d1ae001f190ee187e694e6ae6473e73b36e57e49b6908a1544c3 90 7
Potential Signing Bypass Via Windows Developer Features - Registry Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) bc27e2c02d1cb4d2eba75aa1668359b5caaafc79eb2531bdbe54410d63d727f3 90 29
bitsadmin download and execute Joe Security Joe Security Rule Set (GitHub) 613bbc724cd17594b42667a8a5c4df0dff074adfb53a590f30f86743bc9b5b47 90 7
New Generic Credentials Added Via Cmdkey.EXE frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) b71ea6893f3e92a9d7d7ffb0de6a327a1a755b01c115465f079fa8cce81013d5 89 22
Powershell Inline Execution From A File frack113 Sigma Integrated Rule Set (GitHub) cbf84e925032ab806dad545cb848e4318b275d75f3a40c8cb9664e0172444779 89 39
Renamed ProcDump Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) db74c62019a53e7519a7392215062ee6be4525e5374b4191fb8eeffc81cb981f 88 34
Unusual Child Process of dns.exe Tim Rauch, Elastic (idea) Sigma Integrated Rule Set (GitHub) 1a409a5e5fee95e8f39012c0517568143fbf3ceac2b7bf87e81ab5eb50d8a6f9 88 37
User Discovery And Export Via Get-ADUser Cmdlet - PowerShell Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 0caa50babf4475fc8fa04167d47d87d1e0d04294b8534c19e180e2c9dde0012e 88 66
History File Deletion Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) b5287b77a0f842e5d6ac8cf6125132aeeac4e8f639751744c9c256006803a919 87 22
Scheduled Cron Task/Job - Linux Alejandro Ortuno, oscd.community Sigma Integrated Rule Set (GitHub) 17e54e203e8a8aa2c9b914202cbafe7a371b6019f97729b83dc10a8f643dc884 87 14
Creation of a Diagcab frack113 Sigma Integrated Rule Set (GitHub) 76466a8380202538b40850a954fbd8b6bab964c61bff3742c35d8a8e0bc582fe 85 36
HackTool - SharpView Execution frack113 Sigma Integrated Rule Set (GitHub) fcd75941371f1c365f40d29f8498522d49065fb5ad8dc28a97b979603a6333ba 85 24
REGISTER_APP.VBS Proxy Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2d663b64fac0627c9d7a810d3e1e3c10a5321e0d9f0ff82bf3f9ade891ad15e9 85 42
Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE Beyu Denis, oscd.community Sigma Integrated Rule Set (GitHub) 3fba0f206c1c867f04a34552b850e8eeb0b219621923d394bddad4789f293152 84 73
Potential Vivaldi_elf.DLL Sideloading X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) 346397c1566ef1c4a5cdc5efaf829819cab3cfe203071185adb35187df0ce7fe 84 80
Scheduled Cron Task/Job - MacOs Alejandro Ortuno, oscd.community Sigma Integrated Rule Set (GitHub) 572b438b19c769d86cabf9aef66e7f6d1cadfa28c31734af9cc9577e10af72b7 84 12
Disabling Security Tools Ömer Günal, Alejandro Ortuno, oscd.community Sigma Integrated Rule Set (GitHub) 17b8565aac7819789a47a069aa7bbdb1c69f755edcfcb766c10e1d973768a357 83 8
Nocturnal Stealer Ariel Millahuel SOC Prime Threat Detection Marketplace 08655a77d7ea003dba35be4775284dd12a24f9469c9e93ad2d085afe3f4e91d8 83 1
PowerShell ICMP Exfiltration Bartlomiej Czyz @bczyz1, oscd.community Sigma Integrated Rule Set (GitHub) 504cd1bcea14d3f138e4253108d6978349e99adf5984333e0d5d78865dd1a481 83 33
Suspicious File Download From File Sharing Websites Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 81df8b624648173975c91181526939696ab64698fa03b22522b81744d5cc10bf 83 45
DUNIHI Malware Ariel Millahuel SOC Prime Threat Detection Marketplace 4e8573bf949d0f277bff56a18b256181b950262693a43cfad1d247e035aec8b5 82 3
Potential SocGholish Second Stage C2 DNS Query Dusty Miller Sigma Integrated Rule Set (GitHub) dc5cfaa0b6ff45a4864ee8be51bb9c91ef2f5d94c791e000efb78473258ad5ca 82 23
ShimCache Flush Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 7755af8c0fe9118bb510e5bd0317a174fc59e613270dce762bbc67cac8f68d15 82 48
Access to Browser Login Data frack113 Sigma Integrated Rule Set (GitHub) d3129d20de2d7890e0b90366b7a86a16ce9ca2c330c67005b72bfbd4105aa6d8 81 26
Potential File Overwrite Via Sysinternals SDelete frack113 Sigma Integrated Rule Set (GitHub) c79aec25ed8a3cf07f3a43954d8dda5823dc140075f59c4e0cae1e5a3aee8072 81 18
Suspicious Child Process Of Wermgr.EXE Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 656aa4cd1d10955cd1240f1e010961aaeabc323850ef28dcdecc9f334ffabd54 81 1
Suspicious PowerShell Invocations - Generic Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) d0b30db49f680fc7c412d09dc2099e655eb262fd5ef5b03fb5304663ab79137a 81 5
User Has Been Deleted Via Userdel Tuan Le (NCSGroup) Sigma Integrated Rule Set (GitHub) 841f0c710bf05773a21dbfe0cad9bb0d7a04273cb01c06da89b03b588376c12c 81 12
Suspicious File Downloaded From Direct IP Via Certutil.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) bba68f86faec56fff7827bdc8b4bb20cf69d80ccf8c956daadc7bd68839665ed 80 3
Brontok Trojan Ariel Millahuel SOC Prime Threat Detection Marketplace cc37d2c965977a035bf3e0e5adc5d1ad561e00eeecc80cde19feb01566a5fa61 79 0
Delete Volume Shadow Copies via WMI with PowerShell - PS Script frack113 Sigma Integrated Rule Set (GitHub) 7435e1880cdd78f155ad539eaf8348f3ea0d6fa1183fac382443553cac2159be 79 2
Enable Windows Remote Management frack113 Sigma Integrated Rule Set (GitHub) 7f8fcfb39f92617ac21dbc51e4c66b0663520cef30300bc28dd89572f6574253 79 50
MacOS Network Service Scanning Alejandro Ortuno, oscd.community Sigma Integrated Rule Set (GitHub) 4fff924a8370247252e1b93169b91f3d7ed7d41b98603cfd2b8ce78153c97dd3 79 66
Print History File Contents Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 57c5fa03a480d2503b2cd8c6055b57b3042a03030864c8e431c7077229e32019 79 4
New TimeProviders Registered With Uncommon DLL Name frack113 Sigma Integrated Rule Set (GitHub) 4644dba35bcca22688aa47798c36c6f13bf03864da995c52366df9c473e02450 78 15
Potential UAC Bypass Via Sdclt.EXE Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) Sigma Integrated Rule Set (GitHub) 9076ea2849a39de53427fc7d336a9132ac1d6dea68e77efa6abafebd89ee90c9 78 11
Potentially Suspicious WebDAV LNK Execution Micah Babinski Sigma Integrated Rule Set (GitHub) 6e4a67b9f486826d18a1ce99c8aee3a5716e826b350437dd6d7b2382e9e6e61a 78 0
PowerShell Script Change Permission Via Set-Acl Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 4dda7280ec76865e53f8a5b9094b4f45af5182eae613d2d336f0bbbc028a76b0 78 7
Suspicious UltraVNC Execution Bhabesh Raj Sigma Integrated Rule Set (GitHub) a1005bb393ae9323ec95dc47f2348fea7262e1297f7d5c4e3c9b21b672fe467e 78 10
HackTool - KrbRelayUp Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 914dd9cda73bd6f9573dbe9e9a1fdfc390464d03b96dd1d0ac163be4f300aff1 77 0
Filter Driver Unloaded Via Fltmc.EXE Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) d00afaccf4e488d3a0607eb98f532801d652935f6a0f82e8dfe2240b90f12b5c 76 51
Potentially Suspicious Regsvr32 HTTP/FTP Pattern Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) e907309004a16bdbee14bf081959e1fdd8d3923c01d4153603226d7722c190c6 76 33
Frat Trojan (Loader detection) Ariel Millahuel SOC Prime Threat Detection Marketplace ba827fe25e86d6bf964385767d27442482e273923ce0185d7c335239fda7a2b2 75 0
Execute Scriptlet from internet Via Regsvr32 Joe Security Joe Security Rule Set (GitHub) 1dfe86ef579952e7d83c7cab84e28986946f0660fc39224c8c471d29300a9885 74 3
Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 9c7804b6bfb1ca0e93a863185af19f14432fde4b07d2ac68fb1a44032467c98a 74 13
Replace.exe Usage frack113 Sigma Integrated Rule Set (GitHub) 067314a472e516edad2a871cb6ccc07c4490f9e36622e820cb8d7ff88b0f9fd5 73 0
Suspicious Service Path Modification Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 8583e6aef0800332fe3fd71771daa3901bacd1a4e3b8ae12333da5f445913332 73 7
Potential Persistence Via Microsoft Office Add-In NVISO Sigma Integrated Rule Set (GitHub) 87bbef1292c33b8d07238254d96faa4edbe7d7b241c05444918849684077237e 72 12
Script Event Consumer Spawning Process Sittikorn S Sigma Integrated Rule Set (GitHub) 99d3f28b790cc9edbf77b5fddd446d2ec05f85ee550310a2a3863e3171a9bd54 72 0
7Zip Compressing Dump Files Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2194ceadd602ef4103a4715be6673214407021d3ff227fc3c520c0b9f51d9008 71 33
Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) adbbf1b1fe76c2a86e148fcc66a37c2f361f6d40ce55e510f70409c09d434ea2 71 21
Suspicious Where Execution frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 46ae66dd22967fe384fb2758be37ee4bc4eb6756891eb9d7ebb29342e2dd03d1 71 32
DNS Query To MEGA Hosting Website Aaron Greetham (@beardofbinary) - NCC Group Sigma Integrated Rule Set (GitHub) 8c60cfcbc7464b6af5d7b236a49a53fbfde22feb2036abbf947df7322a7343a0 70 21
ImagingDevices Unusual Parent/Child Processes Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 95fe2608b1dadcb60e16a7627b715b848f056f452fc93639201d185bd1c91a25 70 0
Nslookup PowerShell Download Cradle - ProcessCreation Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 4755ccbf487b7c6fdaea8383493917837a2c86ff682d94f0f57d6b09349e0ddc 70 15
Rebuild Performance Counter Values Via Lodctr.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) f2f0bbc1c620055ffb4b0372c73c17ad21ce521d43cd8a6d18c9d374f83932f1 70 42
Recon Information for Export with PowerShell frack113 Sigma Integrated Rule Set (GitHub) 713f92f086b68096c3f56ca930b031275ba60fcd9b0986dca0e69d63a349fe11 70 4
Renamed Msdt.EXE Execution pH-T (Nextron Systems) Sigma Integrated Rule Set (GitHub) 547b4f9fe578b9d949c01be391e76decb1e95b632ac54aac474eb858c0f1f5b3 70 7
Ryuk Ransomware Command Line Activity Vasiliy Burov Sigma Integrated Rule Set (GitHub) 1a2c4b1ffc8f65b4edf9020cfc1b6203854d13592539752717c107cd6357489f 70 4
ScreenConnect - SlashAndGrab Exploitation Indicators Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 23407cdf316994ee153a1d8c66bd52f5a92b9564c834831e984ea04d66dc2f92 70 0
File Deleted Via Sysinternals SDelete Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) Sigma Integrated Rule Set (GitHub) 13320004e8b7f532ff0dcbcc7a564fd60fa782490cdaf6e553e89088ded28e41 69 6
Lokibot Detection Rule Ariel Millahuel SOC Prime Threat Detection Marketplace be942c1d0e5d410fdd49ca407572405db53d2cebec6927a56b86b1bf02d58983 69 0
Network Reconnaissance Activity Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 9d9af026eaa77db7d0e5377f50092e459940178fe0e043501343b6432f0f94d4 69 1
Potential Ransomware Activity Using LegalNotice Message frack113 Sigma Integrated Rule Set (GitHub) 7c1a95ef0474a975a04b961bfb754a69cb4d482b12e33fc8194798229f828125 69 0
PowerShell as a Service in Registry oscd.community, Natalia Shornikova Sigma Integrated Rule Set (GitHub) edeb7efda75eef0c30275df1148d63a2707963d2d9735d444a56536df2161a9e 69 2
Suspicious Powercfg Execution To Change Lock Screen Timeout frack113 Sigma Integrated Rule Set (GitHub) 82b3e64b1ffbd6e42b9c816c24dd39f029501b0a8e06e337701dfc101f978f0d 69 17
AnteFrigus Ransomware Ariel Millahuel SOC Prime Threat Detection Marketplace 8b18641dc7819baf3c131b24088048e3cf6ac0f5946f136a2c0b0b36a3754141 68 10
Decode DLL Via Certutil Joe Security Joe Security Rule Set (GitHub) 512a021b2a6002cdc06a23350dd7744a78311e5eacbe59b19864a594b50fc33e 68 0
Run Whoami as SYSTEM Teymur Kheirkhabarov, Florian Roth Sigma Integrated Rule Set (GitHub) 6af189a96d12cb443ce812c507e6b5326d70cc43e4f8a8b179fd45d5acee44bd 68 6
Sdclt Child Processes Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) Sigma Integrated Rule Set (GitHub) 440b98d4bf30e3c39e7c17aa21aaa561647a4230e418cf901961b1604e27877c 68 12
Suspicious Mstsc.EXE Execution With Local RDP File Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 205a65cd894184e7d2a59da78310f8cb3262995f30c3015a05293c7754e5916c 68 5
UAC Bypass Tools Using ComputerDefaults Christian Burkard (Nextron Systems) Sigma Integrated Rule Set (GitHub) f0a2a0d6b300aa9b5100a3fcd8fda2e183d4c22f4c748ebf056b724965c77639 68 0
Suspicious Environment Variable Has Been Registered Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) b699c275e510eda7cf1e9f4fdb0a9e8e780d9e307b37d98aa4524c6975b9847a 67 15
Credentials from Password Stores - Keychain Tim Ismilyaev, oscd.community, Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 0a2ce7410c4271e6c41926b4fe0f5903a05d4a02cd8dcd4a273e86065b3f46b6 66 65
DLL Load By System Process From Suspicious Locations Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a341c10327c4d8c5407ea5b704ad11932a391174e37332792a2b456adf4ee9b8 66 5
Potential Persistence Via Powershell Search Order Hijacking - Task pH-T (Nextron Systems), Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 262548bdd551b5516ac8ba4e7c13b94c1164ea5766dc08877e95dcb2930be717 66 8
Potential Regsvr32 Commandline Flag Anomaly Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 0febc469c613c6ae3155a46fb291f1ebf74d38c09b1dbb5478c2f9f36af7b599 66 20
Powershell XML Execute Command frack113 Sigma Integrated Rule Set (GitHub) b8a4fbd826f854871ab62dc0ad49ae048575057a6293a2c8109f04b8662a8162 66 24
Powershell drops NetSupport RAT client Joe Security Joe Security Rule Set (GitHub) fff7f3f069862bd6d4a1202e842c62ff93c981b9fefe582ca76320826999ff81 66 1
Suspicious Curl Change User Agents - Linux Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 85e2c3c8bd260f8a67a582a43493b73662159bf74036dcc05b8952c84be8bc2a 66 57
HackTool - SafetyKatz Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) e12ef0018b230868661eff7c8a74baf3f9a0ea5e0380b63b339c9218278f2057 65 0
SharpRDP execution Den Iuzvyk SOC Prime Threat Detection Marketplace 31cfc7594bce0379cd087a7f0fc2e2da4a491ff6b2df31db447eac7eec8b2d22 65 14
Suspicious CodePage Switch Via CHCP Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community Sigma Integrated Rule Set (GitHub) 843024550fd9239f814fd3dcd7f1f768fe7316501173bb485e673bdb9abf1d63 65 16
Suspicious Execution of Sc to Delete AV Services Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 7f8a2779f372784da42ba3ea542708f81eb3d3784b03ec4d156d94dbf9190887 65 4
DeviceCredentialDeployment Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 63437b0e9c5e21d2823a28f0a428ee4bad8d30ba59ddbfb9227fe13452f1aebe 64 5
Oxypumper and Qwertminer detection Ariel Millahuel SOC Prime Threat Detection Marketplace 2e9004538d0ac25abf5f74d2ab10e6804e8c5a6d78ded8ec678d1d57791fdd4d 64 9
WMI Persistence - Script Event Consumer Thomas Patzke Sigma Integrated Rule Set (GitHub) 3b638ebc248d5ac99c1adb404e0b5f4adc3784b9af6f02b296381a950e9e8fdf 64 0
ConvertTo-SecureString Cmdlet Usage Via CommandLine Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton Sigma Integrated Rule Set (GitHub) d44e437dafc368f03a2c93e0239ddf8a89f25343b0747774d67a1b84e48eca09 63 10
PoetRAT detection Ariel Millahuel SOC Prime Threat Detection Marketplace 8d515240682e798faa78be0b976770c35f93bbf484d6a3876b1f640670a5aaee 63 1
Registry Persistence Mechanisms in Recycle Bin frack113 Sigma Integrated Rule Set (GitHub) 661375a6a064f858d66665c13895d00ce56bb356ccda48cbc40727b9b6f4e220 63 1
File Download with Headless Browser Sreeman, Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) ab434fe480ee2a7a4567eef38af37753eb61b2fe82708db1056313a73ab0fac0 62 4
Lazarus Activity Bhabesh Raj Sigma Integrated Rule Set (GitHub) 735c9c8d6f2afa0f395d670a4d21f211de96cbab610a1a63b20bcc981d975f0f 62 0
Uncommon Extension In Keyboard Layout IME File Registry Value X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) 17a95e740c3d081eefeec61bf1fd312a2276a380be6923c632ed7d8660285301 62 2
CrackMapExec File Indicators Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 254c83f0491d9e699fbdf23d06bc63ef62e908d45901cb872d0268ad51aa0543 61 11
Suspicious command execution Den Iuzvyk SOC Prime Threat Detection Marketplace 2493810bc5072dfb469437cfe4848e404b84ec5690670b79ab60bdf138d06139 61 0
HackTool - CreateMiniDump Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 8618cac2c2c1ec1d0e5b729eab2f28a1585a023728c5aaa9fa184b786b52a337 60 56
Potential Attachment Manager Settings Attachments Tamper Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) ab75582abe82ab90071a874b2fc815cf2027c5505ce7f0b149210f67dd27dfbd 60 4
ScreenConnect Temporary Installation Artefact frack113 Sigma Integrated Rule Set (GitHub) cbf91c8dea063cd256525b4053b25b4afe0528021d02d0b0d380321ebc5c9a7b 60 11
Windows Kernel Debugger Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) bdfabe357d29db481ce92a1bf99197e1220f79336d0a6a891f56d430f607e756 60 7
DllUnregisterServer Function Call Via Msiexec.EXE frack113 Sigma Integrated Rule Set (GitHub) 2e95aeac423a48e1ef8f7275c2f49a8fe3fe9a7e83b9db9f856d1f2d3edb1a10 59 24
Suspicious File Encoded To Base64 Via Certutil.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) aa7741239d7d626a6e7b92ca2405578c580c500eef1489d3115aef2b00b667d1 59 17
WMI Persistence - Script Event Consumer File Write Thomas Patzke Sigma Integrated Rule Set (GitHub) f4ab9cd44db2481795fe0edd858471bda0d0b73d8e406124bf76a2a074ac5360 59 0
Deleted Data Overwritten Via Cipher.EXE frack113 Sigma Integrated Rule Set (GitHub) d3e54936275abafa46d4b77891ec8f7fe6dd55d420fec613476144dd5d26f1a7 58 6
Mshtml.DLL RunHTMLApplication Suspicious Usage Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems), Josh Nickels, frack113, Zaw Min Htun (ZETA) Sigma Integrated Rule Set (GitHub) 81da16a2acd4f2ead3a5744748fade75b7d63b7ec6498731e5106bf2d48265b6 58 7
Shedule powershell with encoded command parameter Joe Security Joe Security Rule Set (GitHub) 915a39321a250831a95cbb6b6598214820d1be1095aee6555106a9ca7d02a36a 58 0
Spora Ransomware Ariel Millahuel SOC Prime Threat Detection Marketplace 8a1a4505f9c0ee688392c73f69566ea35c3597f51241af4cb0ddb23057c95474 58 19
Creation Of A Local User Account Alejandro Ortuno, oscd.community Sigma Integrated Rule Set (GitHub) de6224d573389a0f865f0a33bd9bc3784cd12bf697150f8f8e0a9708a4e00199 57 57
Execute dll with txt extension from temp location Joe Security Joe Security Rule Set (GitHub) d8d01ff318fd81c3e8579c3f1dbc420f408beb4b67bc9be1a4bbdc759dce812a 57 6
Portable Gpg.EXE Execution frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 37975ef2a9d7686f9cb4712638e4cb91aa474f7ff5d6d96097cf31e8ac891e00 57 7
WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) Sigma Integrated Rule Set (GitHub) 81314be6adb2ae8f1bd104c4f35d68c8ff62ddfea655e64c5b1c92082b72d5ae 57 0
Binary Padding - MacOS Igor Fits, Mikhail Larin, oscd.community Sigma Integrated Rule Set (GitHub) 02cb79a02d071bcc40631d144c5a778d3326e0d2226089538e755f27dfac2048 56 33
Credentials In Files Igor Fits, Mikhail Larin, oscd.community Sigma Integrated Rule Set (GitHub) bb9fce766014ab2fb22106410384571f0217fa35e9914bdc3dd86452d8d4ed64 56 32
Linux Package Uninstall Tuan Le (NCSGroup), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 5e489648e7cddbfb6f319308353866e71f83fcd5e3663e83ecf5f6f7f01383bd 56 53
Linux Shell Pipe to Shell Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 961d6ba3c55de28bad39a9ca6bc10d12d7d1180abd7f3b15244347c72b37be1c 56 4
Service DACL Abuse To Hide Services Via Sc.EXE Andreas Hunkeler (@Karneades) Sigma Integrated Rule Set (GitHub) 31469fa3c8d37b7e80913d07ce5549c9371e193ac3f0d3211f519adbb2de950c 56 1
Tamper With Sophos AV Registry Keys Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) e959b2b5eb8766c7e43ff42c19d740cc07c317b6e149c3d8a8901fb6440f5af8 56 47
CobaltStrike Load by Rundll32 Wojciech Lesicki Sigma Integrated Rule Set (GitHub) a92c2c006c3ed7f60668afcb77342db1049d166af7ab991eb0d6cd8c3e2b2a59 55 1
Potential Download/Upload Activity Using Type Command Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 60989d33f57e8b54080cc6f5ddf172214858d74acfac7a314daabf794b9ffe4b 55 4
Regsvr32 DLL Execution With Suspicious File Extension Florian Roth (Nextron Systems), frack113 Sigma Integrated Rule Set (GitHub) f64c98dfb55189f8f65b8dc8c77a020a4c869933083e1b3ef087e4dba264e864 55 7
CreateRemoteThread API and LoadLibrary Roberto Rodriguez @Cyb3rWard0g Sigma Integrated Rule Set (GitHub) 7b3a31059be73d0a2a66f61915b2e5a4f5a37cea4d4de5e3cc8c24f5e2a310f1 54 4
Created Files by Microsoft Sync Center elhoim Sigma Integrated Rule Set (GitHub) 90e6abcfde9453786cbe5eb7bd26a659703b1abfdec9d9441778c362dd6be63c 54 0
Socelars Malware (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace 3b19facf348c1fe8db660733298928cb749e5dafe84ca3025f86b31129352e51 54 0
Suspicious Execution of InstallUtil Without Log frack113 Sigma Integrated Rule Set (GitHub) f87a49b6d1417f2f418f84c8a8b3d23964133dc7c1b7e18b02a1d2b8deaba8a0 54 19
UAC Bypass Using IDiagnostic Profile - File Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 31d928b4b0adc82d81a6490585e87953d808c285ed5d3b25bbe1a461234e37f6 54 0
Monitoring For Persistence Via BITS Sreeman Sigma Integrated Rule Set (GitHub) f9b2dcdba235a40678fcd4411540f98adc4caca054a247054eba6b040b37243e 53 6
Post CVE-2017-5638 exploitation Ariel Millahuel SOC Prime Threat Detection Marketplace ac7133ba82228763e38c9dece3427e679698ee3bedde0c21e00adf3e4dfa06ac 53 0
New PortProxy Registry Entry Added Andreas Hunkeler (@Karneades) Sigma Integrated Rule Set (GitHub) e95b67f51925e56d5e1ce56881ff5e65536dbd80108577670b3adf94d708f2e7 52 6
Potential SMB Relay Attack Tool Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) d702a3f44f93b4f3f9c5cd7b73d3901b2db7d1b3db3e051b5135849e3f812ecb 52 1
Suspicious Dropbox API Usage Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) fe21430fab5862ef48455258a0cfede5d05b0a4f20d0d459862c92c7b18903cd 52 18
Bypass UAC Using SilentCleanup Task frack113, Nextron Systems Sigma Integrated Rule Set (GitHub) 09bd87cd156913fd5b64ab548f700258c49833a235b205c8494f05634670d8d9 51 4
Container Residence Discovery Via Proc Virtual FS Seth Hanford Sigma Integrated Rule Set (GitHub) 442971bed1da8160e4493d1cbb6e206863e44b4d3bc071439930f75b57155168 51 47
NetWire Joe Security Joe Security Rule Set (GitHub) f1f1e749b0e91b9e079a2fb92be3e128291eda84c02064028a1d037f450f864c 51 0
Remote Access Tool - ScreenConnect Temporary File Ali Alwashali Sigma Integrated Rule Set (GitHub) 89e2039b23d63fdecc8053691737fa87fe9a15765e0720e5fd3f99847b67fd93 51 0
VjW0rm Joe Security Joe Security Rule Set (GitHub) df4c3314c54ac26310706f85324f7952f1a6f38db2953516f58f8f43d67918bb 51 0
Default RDP Port Changed to Non Standard Port frack113 Sigma Integrated Rule Set (GitHub) dc0c536bf76ee17ec594024c9b331e97f259d945e0c52ca0f468b6d323906d8b 49 4
Linux Remote System Discovery Alejandro Ortuno, oscd.community Sigma Integrated Rule Set (GitHub) b76b38e7cf87e1b2f37b568047e66cfd972f62fbfdebc15ecff4adb21293b524 49 42
Named Pipe Created Via Mkfifo Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 77f498d597306f31d012acd8f1cacd8b91b660138f6b7da5223d25351be26d4c 49 40
Remote Access Tool - AnyDesk Silent Installation Ján Trenčanský Sigma Integrated Rule Set (GitHub) 8c68ebe0db23e4f70c3621d56e4ce298dcf255e61288342e6b4760dd0af96c85 49 5
Renamed FTP.EXE Execution Victor Sergeev, oscd.community Sigma Integrated Rule Set (GitHub) 1b0331796dea16652e2a96f7864c155f7ff236142499897fcba7142c8eb1a007 49 4
Unmount Share Via Net.EXE oscd.community, @redcanary, Zach Stanford @svch0st Sigma Integrated Rule Set (GitHub) 407e4bde1473325159e680d149f0f254239a0a299c46a43635758710d7592f65 49 12
Potential Persistence Via Microsoft Compatibility Appraiser Sreeman Sigma Integrated Rule Set (GitHub) 9fc475ae448749ce7b6c7760c27eaa960cebb3e61dd32ccdd1ffa55dc831eff2 48 25
PowerShell ShellCode David Ledbetter (shellcode), Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) a8f93a6a21c54d549a6d042e48c067948add81f96231c70f83cdfa345b1f6cb3 48 0
Qakbot Rundll32 Exports Execution X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) 312c58213f5112dced4d90fdbd5b3f6024663cf7b4c85b209ddcc69bc0a84857 48 0
AD Groups Or Users Enumeration Using PowerShell - ScriptBlock frack113 Sigma Integrated Rule Set (GitHub) 1bccdc208f191ae10d0fa42675f08a37e14e4f39ff07da3fc0c15510993f6e9c 47 25
Changing Existing Service ImagePath Value Via Reg.EXE frack113 Sigma Integrated Rule Set (GitHub) 3a4567bd735e7ae20a9b3bf3921ad6e9acdec3b957cdbdb4eebfd6feed5670d3 47 20
HackTool - SharpUp PrivEsc Tool Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) b9df87571912714cc7a36f7a1ca3fdd9625d8ccc37a12862bdb202fba7c22869 47 3
Suspicious Usage Of ShellExec_RunDLL Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 583f46a94081ca6e4e09e8191f1cc5fe8a0b11239ca27da18ef2ad12a48786b7 47 0
Adwind RAT / JRAT File Artifact Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community Sigma Integrated Rule Set (GitHub) a7648695383d3c54094a9a623178342f9965ac5977fdf3c70016e06b5d12fbdb 46 1
Disable Windows Security Center Notifications frack113 Sigma Integrated Rule Set (GitHub) bdccaff58cca68f197ac8f69e4b633c0bb114e3868020f4970296aa9e2866485 46 7
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Daniel Bohannon (@Mandiant/@FireEye), oscd.community Sigma Integrated Rule Set (GitHub) 30c408d940a17c92bda9a7a3661343cb4849cb5206311af462dfa18993f9f0c7 46 0
New BITS Job Created Via PowerShell frack113 Sigma Integrated Rule Set (GitHub) cfec5ce24be18b8a5b6ee565ce5bb62f0aa614ff0754094a9cb6d113b97decbe 46 5
Registry Dump of SAM Creds and Secrets frack113 Sigma Integrated Rule Set (GitHub) 3e6aec9c264981c1c738cf2bb29a907f7fc01867b91cf31a6d4ba46d35129230 46 11
Remove Account From Domain Admin Group frack113 Sigma Integrated Rule Set (GitHub) 2b323eb1de293c4dbf91041f23c3507c4aaf71c4bc36b04ccb8fc5731995a398 46 24
Cmd Stream Redirection frack113 Sigma Integrated Rule Set (GitHub) 5f96e6b063aba9535c425e87ec855e1751d2d80c4099135c5b165fdf5bdbc5dd 45 6
Hacktool Execution - PE Metadata Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 8b5d84914e5e7715fc7effca7b1d2ad513d7fee3b5afb0e324a42c2d3103cd49 45 0
Linux Base64 Encoded Pipe to Shell pH-T (Nextron Systems) Sigma Integrated Rule Set (GitHub) c1f964672685d4a8074a0afd7ede2d3d945dd73712ba41714baef2affeb3f567 45 1
Potential Persistence Via PlistBuddy Sohan G (D4rkCiph3r) Sigma Integrated Rule Set (GitHub) 0850dc4a94c84042d7171de3546d552afc54d9d8acb5e48096ff4ddb12b7691f 45 1
Vulnerable GIGABYTE Driver Load Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) e55e3c4025c22c464d209815a3411299c407e870eab4c5aa9ef362b217babade 45 1
CodeIntegrity - Unsigned Kernel Module Loaded Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 647cd15325a4886379855a1ac10656200efc53f23b4acdaedb38599f61f8edaf 44 20
HackTool - Generic Process Access Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel Sigma Integrated Rule Set (GitHub) d75877001c4c1624b11d25475f47d8be26299f4d7b63b5f142efab818fb42372 44 0
AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File Julia Fomina, oscd.community Sigma Integrated Rule Set (GitHub) 3ac562f761dce56ddce1ba6581aace41ae7b64cf2b9fd64295b4d9d43c26aa21 43 12
Use of FSharp Interpreters Christopher Peacock @SecurePeacock, SCYTHE @scythe_io Sigma Integrated Rule Set (GitHub) ab87de6df917b48304e512d979d27ae1a0c4b3b63106217afe10aa1059195e7e 43 19
DD File Overwrite Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC Sigma Integrated Rule Set (GitHub) ae140eaae48e1659eb9013e9c7758cc3ebb59100fc5bce9ede4e8a0ca0fb76b7 42 23
Dump Credentials from Windows Credential Manager With PowerShell frack113 Sigma Integrated Rule Set (GitHub) 5058b79d96d2165425d539e148ae3fe578dfa62b75b71f82ca2bd6bc347be4d5 42 10
Microsoft Office Protected View Disabled frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 6d5a609a6b004ff13f827d2c892bfdf14add4eea1de46a0f4d8911bf8f4f7bb5 42 13
Microsoft Workflow Compiler Execution Nik Seetharaman, frack113 Sigma Integrated Rule Set (GitHub) 360867571c752aa9ec6da95a6c3db7a37dda60e6627df594f31f89692b8063d0 42 8
Obfuscated IP Via CLI Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) f9580d1ddc8753d3db3625ce853e150314b148df4d5279a69d3781cc031996c9 42 4
PUA - Nmap/Zenmap Execution frack113 Sigma Integrated Rule Set (GitHub) 4225d7662d0eec6d20893e2e9f75328a37cc7a24ba7f1932e3c993cf482e46d5 42 17
PowerShell Called from an Executable Version Mismatch Sean Metcalf (source), Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) ed7108b00b6a517dcbcd529d98b8c8e1ed551160e89bbf03699b6fe2e3b49fc2 42 5
Suspicious Nohup Execution Joseliyo Sanchez, @Joseliyo_Jstnk Sigma Integrated Rule Set (GitHub) d30303a3345f6a0b7f9c34a75b5a00dd959e4955da823dbe1207107eb2753920 42 11
Suspicious Scripting in a WMI Consumer Florian Roth (Nextron Systems), Jonhnathan Ribeiro Sigma Integrated Rule Set (GitHub) aa9824d65395eec625b665851ca4456503a8111e058eab9487c34500b30ee31f 42 0
VBScript Payload Stored in Registry Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) dc67cd797236fcf12f7a5e58c0d5fc50318e74f58c9d17e6bf7905e87c5a9c21 42 20
DNS Query To Ufile.io yatinwad, TheDFIRReport Sigma Integrated Rule Set (GitHub) 948e697920a298ec6250c9c3157174bb53f162acfe6435ef673ac34c61021f2c 41 11
Dupzom Trojan Ariel Millahuel SOC Prime Threat Detection Marketplace 68250cc49ef2301bbd3bc5104579a2f065206211acccf6978a71097bddd98d6d 41 0
Potential Credential Dumping Attempt Via PowerShell oscd.community, Natalia Shornikova Sigma Integrated Rule Set (GitHub) 860b2c5aa11877dcc332abdbcb448878b95f010531b81f04afb77fd2c7aaf9ab 41 7
Potential Process Injection Via Msra.EXE Alexander McDonald Sigma Integrated Rule Set (GitHub) 973e933a4e2394093f5cce603e5ffadbcf35df2afd29c4dc0e1a002e06d9b58b 41 0
Remote Access Tool - AnyDesk Piped Password Via CLI Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 6e0d326cf1248be3c35ad4a980fd0b6fd00f190e2b6bac28494062e11f1d9db1 41 0
Renamed PsExec Service Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 80d7ce564675dedfdbf8c13540cced6343bb1708c20306349a108b369920509a 41 1
Enumeration for Credentials in Registry frack113 Sigma Integrated Rule Set (GitHub) cf1e24c4e4b805857977d873b41de8cf08d618fa56ffb27ece5e9b41e84807d6 40 23
HackTool - Inveigh Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2bfe4c7c4dfa23e7dbcb187f2cbe57e783da76cc66114dacec73520935d9bf78 40 1
Indirect Inline Command Execution Via Bash.EXE frack113 Sigma Integrated Rule Set (GitHub) dfbb51364e0deb6fd01f82a709f96be117d3f57ab06c8ac5718d944050856808 40 23
Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy frack113 Sigma Integrated Rule Set (GitHub) 59b625af50fa92cc05953cfdf68d6c931bb58a09a058e54757d152acfce5923c 40 26
Use of VisualUiaVerifyNative.exe Christopher Peacock @SecurePeacock, SCYTHE @scythe_io Sigma Integrated Rule Set (GitHub) c2fb9169c48cfbf7abc02540d8fc5c9d887473aed872aed30dbd4f8a9ead5a5b 40 8
Hidden User Creation Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) 809fde43d8c51148345ce94401363b56daa369da6e6bdb766f26a3a3af847f65 39 39
MacOS Emond Launch Daemon Alejandro Ortuno, oscd.community Sigma Integrated Rule Set (GitHub) 839422d12551f797abb514fc052bfc852f3811d1b983090ecd6b6cf2f22d8ed9 39 0
Sysinternals PsSuspend Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a5499c523df320d4d17393e8439d7a17bdbe13b398428715aa85f865a9ac040e 39 5
Wdigest Enable UseLogonCredential Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) Sigma Integrated Rule Set (GitHub) 549fd181a20cb87efd19fddc858140d8495cd434cc6a9b662dcc7d8bb35804ae 39 2
Glupteba malware detection Ariel Millahuel SOC Prime Threat Detection Marketplace bdf42e1363c4a10d6bcc355bf1a7fd1cb54d15737372cbd542de0642fb26eb5b 38 0
Hide Schedule Task Via Index Value Tamper Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) c330740ff90c619e583a655e80d545f5ee7c435e58ee3bc2365a0eba1deaf010 38 7
Pnscan Binary Data Transmission Activity David Burkett (@signalblur) Sigma Integrated Rule Set (GitHub) f85fc8e3b59a0650920e8626c3ab8f8e1aee6c2a45989f0048db72682e95717f 38 38
Remote CHM File Download/Execution Via HH.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 5544bfe63d743fba858c3a75c7dd46a76520367a1278b1fe3d5c5609dc42fc4a 38 27
Suspicious File Characteristics Due to Missing Fields Markus Neis, Sander Wiebing Sigma Integrated Rule Set (GitHub) 608e0e17d25bcba31de608552a073a6677d4f626ab55bce353a686eda3f60bcc 38 0
VMToolsd Suspicious Child Process bohops, Bhabesh Raj Sigma Integrated Rule Set (GitHub) bd7b9679a8b4de81c85050399fe9679a23a1ea3bb48ef31509d208152db750f4 38 1
Disable-WindowsOptionalFeature Command PowerShell frack113 Sigma Integrated Rule Set (GitHub) 3becb58829ad8f8f58a8716e0deb90627269a650475809ba1704d3facae71a69 37 15
File Creation In Suspicious Directory By Msdt.EXE Vadim Varganov, Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 43c5a24c90e796a35f043d1ffc474c71db1b33cbb25ae045be1efab7477bc486 37 7
HackTool - Impacket Tools Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) bcdf3f22e3474c8f1ea65e450422f64bc2fb74de766f420de7cd57827679d7f7 37 3
PUA - DefenderCheck Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) d29242190c6dffd993895588fbb9a2918a3e0e636e3cd6560339d9ae469f3bdf 37 1
Suspicious Unsigned Thor Scanner Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 845ad09a7d56e7163ba8162af3cd6b1ecb26b7cc95443795b162eceb8659f992 37 0
Drovorub Malware Detection Ariel Millahuel SOC Prime Threat Detection Marketplace 00861734ad4b4865c4fd337b091aace8388feda059f681fa1a0d0a6659b55d31 36 11
Suspicious Cobalt Strike DNS Beaconing - Sysmon Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) b55c667fef3a16ff308f801e44896c36f9754c98321c12bc516a13477130f4fd 36 0
UAC Bypass via Sdclt Omer Yampel, Christian Burkard (Nextron Systems) Sigma Integrated Rule Set (GitHub) 9e30ed5d0167ae542ae090b30e0049496a63c5c9c63bb37e80d62532640cfc6b 36 0
MedusaLocker Joe Security Joe Security Rule Set (GitHub) 210f9984c24831780960074692a8e0641937345a359f29224036fa53ab77414b 35 0
Potential PSFactoryBuffer COM Hijacking BlackBerry Threat Research and Intelligence Team - @Joseliyo_Jstnk Sigma Integrated Rule Set (GitHub) 37782d04601239241ebe09601b69caf3da92679e05edb94dcf699346e06be653 35 12
Potential RoboForm.DLL Sideloading X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) abaa40290a66ddc6c6b30a8e4d86fb5d86e943057cc9bd8c4e412056329325d1 35 22
Powershell MsXml COM Object frack113, MatilJ Sigma Integrated Rule Set (GitHub) 38c7f03136a955c75f92f48bde1f9544a6d996418d05fae60f1efc916f0ea88a 35 8
Suspicious Debugger Registration Cmdline Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro Sigma Integrated Rule Set (GitHub) bf194ab090c7130529a9fd6a7f876d5fc008ceecf627db81eef41431ffaa3c53 35 8
Unusual File Download from Direct IP Address Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) a2b6862e0b28e1527a68e771f4a09cc77cc168e10e6c8d978df736c414320a01 35 8
DNS Query to External Service Interaction Domains Florian Roth (Nextron Systems), Matt Kelly (list of domains) Sigma Integrated Rule Set (GitHub) 9cd7d0464b2ec471865497eaad8a6c4d1a73db7c60ab90f17e39cd455bb7c847 34 8
New or Renamed User Account with '$' Character Ilyas Ochkov, oscd.community Sigma Integrated Rule Set (GitHub) 6c5cfe607309f4bc96c1644752af6a875fd27ea6910ddff26e40a4ae64a26e05 34 2
Removal Of SD Value to Hide Schedule Task - Registry Sittikorn S Sigma Integrated Rule Set (GitHub) b6b61a17f356fe2363775995997e1051f0931f70e7446ddf4e165f27cc717622 34 5
Hidden Local User Creation Christian Burkard (Nextron Systems) Sigma Integrated Rule Set (GitHub) 084f8f629ce19b2d68d7e27615e59a3ebea0e92f94d25fffcdf6981152cf5efe 33 2
Potential Unquoted Service Path Reconnaissance Via Wmic.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) af6fba732192700a3e6067cd1013a488ce707b800e7633a9a7aa67b66fd57ec2 33 4
Powershell Keylogging frack113 Sigma Integrated Rule Set (GitHub) ed239970ee8d5e197f594aacc2fd6f6f6d3dae189b2b2aaea8c2f5d100939e42 33 10
Removal Of Index Value to Hide Schedule Task - Registry Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 23fe3e0423af9fe044d336e0f9a8fd2bc07e40d06ee7e394c6c7fd1bd44273ca 33 3
Suspicious GetTypeFromCLSID ShellExecute frack113 Sigma Integrated Rule Set (GitHub) 88dfd5a01f282c28ca7996397793be5f0d467366ce982def90143e1503ce84ad 33 0
Delete Important Scheduled Task Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 4b6a191a02d514b34f125957168469a325b2720a4b3592aab7d5528aa5afad64 32 15
Mavinject Inject DLL Into Running Process frack113, Florian Roth Sigma Integrated Rule Set (GitHub) 22a0144a5fa16f342a409df0a0b3ea1292a72b8e43c7c844bf06d68f5330fbf4 32 9
Suspicious Greedy Compression Using Rar.EXE X__Junior (Nextron Systems), Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 94e8734168825ab4d47d1adb94a7a1c9bee8ff96dd059cc958d572d0ce091258 32 0
Suspicious PowerShell Invocations - Generic - PowerShell Module Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 3f1f1d4b840f1276832b328fab68511c28f6b7918e887279b03e6ea4735bef7d 32 1
HackTool - Htran/NATBypass Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) becb1782f61cc6f06558e9bdda4cbc531606bfb0b4b92c0667d6dbde99a67b77 31 1
Inveigh Execution Artefacts Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 04a3ff78807e08f6f792e8645f0d500d0b8ee72ef7ccf43d29295bda7cfa1c51 31 0
Malicious behaviour on user login (Microsoft Windows - c0d0s0 group behavior) Ariel Millahuel SOC Prime Threat Detection Marketplace 6b5efce8659d3a3b0a47725b973669cf5b071a5a685525042188d1670c7b2d82 31 3
PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE frack113 Sigma Integrated Rule Set (GitHub) 2abd81b6396ea687490b2d703ce07c1abd135ba398d89ab839c66e6a43f713f0 31 17
PUA- IOX Tunneling Tool Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) df765eaa567c547d6a5b1ade1739bfcb54c5c9a76cabb60de34451560bdaf198 31 0
Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE Alejandro Houspanossian ('@lekz86') Sigma Integrated Rule Set (GitHub) a6643da2e3310cc36e0e016ed24d7b75aaab7d235acf5d3e46618b8f2c3d94b6 31 12
Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @Kostastsale Sigma Integrated Rule Set (GitHub) d5b76fa3cab42361e745d7a1c59d40820a1cab108d30fd2d9fef6c3aade085b4 31 2
Successful Overpass the Hash Attempt Roberto Rodriguez (source), Dominik Schaudel (rule) Sigma Integrated Rule Set (GitHub) e0a74a014c641b36f56f6bab87d33f003162f1e4a4e97882d055aa0c2fbc4064 31 1
Windows Credential Manager Access via VaultCmd frack113 Sigma Integrated Rule Set (GitHub) 3444e8af7fe049353761c697d9c300841002cb9979f0754558abb2baaa8c915f 31 2
Fireball Archer Install Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 82119a59aede1b373e13f532ace644de8571caff9f04869378270de5b5881bc6 30 0
HackTool - PowerTool Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 24223dcd765ae37fd40f3af1054e55119422246e8933dc29b1debbd1cfc67d00 30 2
Sakula RAT Ariel Millahuel SOC Prime Threat Detection Marketplace dacddd5435eda2fc54dcf6d585d0e82a0379e27c838a82bebc8ec9f0c0ac9921 30 0
Hiloti Trojan Ariel Millahuel SOC Prime Threat Detection Marketplace f8a63428721bcc8ad6de541a48e0a1f21d8e73a4f114603bcb7e9066042c502c 29 18
Netsh Helper DLL Den Iuzvyk SOC Prime Threat Detection Marketplace 67f08eeb3f74c7dcf4b8985150f3df56b390aec0e1d3edb45a75c360f73c0134 29 23
Potential SmadHook.DLL Sideloading X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) f1ba900adfa240d28790516f5652210eac67fe14d06909d4a23dc7da3e2351d9 29 0
PowerShell Get-Process LSASS in ScriptBlock Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) cac21fdc92116671a9e24502beff8b3cc9b77c6d7a23b8f10aefa65821fd9014 29 2
Renamed NirCmd.EXE Execution X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) 1240085183732053f634278b3248292410a8e5db2568b88f00d683a99c69995d 29 0
SQLite Chromium Profile Data DB Access TropChaud Sigma Integrated Rule Set (GitHub) bfe106c088dbc3f0a1e36442a1cffcf01752c0edc0253863c36640731be1e240 29 0
Sdiagnhost Calling Suspicious Child Process Nextron Systems Sigma Integrated Rule Set (GitHub) 4254515e2214920c73b9dc8a7c9f084744461c248ca9e42ffb9e113d325a2615 29 0
Forfiles.EXE Child Process Masquerading Nasreddine Bencherchali (Nextron Systems), Anish Bogati Sigma Integrated Rule Set (GitHub) 32fe36abb39d468ad23cc377de33068c295dce79c9d36eb1c0b7fc94d2012270 28 23
Malicious Driver Load Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) eb9cde748691b89900d3912132c7152f33c227584d841ece03cb44a1db24b597 28 0
Potential CommandLine Path Traversal Via Cmd.EXE xknow @xknow_infosec, Tim Shelton Sigma Integrated Rule Set (GitHub) 66a17168752e700a1b57242bfc6b9a345959b5142a99316865e1d44df709c32f 28 17
Potential PowerShell Execution Via DLL Markus Neis, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 5980c0048e6d0468659094b73e0c348afcf2c52a7842e03089c1279a023c70c9 28 14
Privilege Escalation via Named Pipe Impersonation Tim Rauch, Elastic (idea) Sigma Integrated Rule Set (GitHub) 109e6e5533daa3625414a7f58f6a8b34392f3050c582146cfe13876cc85fd9df 28 1
Remote Access Tool - ScreenConnect Remote Command Execution Ali Alwashali Sigma Integrated Rule Set (GitHub) 12aa67b79c3edf7fd84e93ece836d07fcd28e945a17f4c2210723213ffb42055 28 1
Uncommon Child Process Spawned By Odbcconf.EXE Harjot Singh @cyb3rjy0t Sigma Integrated Rule Set (GitHub) 7e8cf2aa9c53d27e74ec5d758c244e7939c04f5252650030b441077572cfcbe2 28 0
Wlrmdr.EXE Uncommon Argument Or Child Process frack113, manasmbellani Sigma Integrated Rule Set (GitHub) 67d3612b65ef2b4db5ee2d86f8437cc82d5e33395a852f7540858df8738250fe 28 0
NET NGenAssemblyUsageLog Registry Key Tamper frack113 Sigma Integrated Rule Set (GitHub) 1c1e1293dd905ae64df7a2e7f1182a624c3a618d411c80d0aff46ed4562d6da4 27 0
Potential AutoLogger Sessions Tampering Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 71000aa981db521aed45841e26a97e5761747be7e168201f1ea473ad3536fb85 27 0
Potential PsExec Remote Execution Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 534500853b096a12173d832563555b71c1116d432b7dabba079946461ef7e617 27 2
Potentially Suspicious Named Pipe Created Via Mkfifo Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) e0cf499ab24f3368c176a6b60e38d07e517a3bb7d26f12ed0da003e47fb50b80 27 19
Private Keys Reconnaissance Via CommandLine Tools frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2a86897d4c284135c8e21105377149da6e12d9f57525bfdccdfb55cf4b3425fc 27 7
PsExec Tool Execution Thomas Patzke Sigma Integrated Rule Set (GitHub) 91a0bf780670902c97c569d46226158bdd49738004799b58cd63cc4c9d63ea55 27 1
Suspicious Get Local Groups Information frack113 Sigma Integrated Rule Set (GitHub) 098feee88c8a66070a3ec1f3c56be0ede46676cee2b799ba6d309360ce563ba7 27 12
Suspicious Rundll32 Script in CommandLine frack113, Zaw Min Htun (ZETA) Sigma Integrated Rule Set (GitHub) ee7fc4aa3dcf06ddc37a9dc24c2fe5a2d394cc53d560d2214a8f5455eedb6291 27 0
Suspicious WMIC Execution Via Office Process Vadim Khrykov, Cyb3rEng Sigma Integrated Rule Set (GitHub) 651f584b690a75e06a7e634cec7a11b17555debdbfffe3f765a988b80ffeacbf 27 0
Arbitrary File Download Via Squirrel.EXE Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community Sigma Integrated Rule Set (GitHub) c19e1a6a54ccf6c55fb5923bbc85abd4addae819675e8e4958d9e83689e50c81 26 23
Cat Sudoers Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 39e0f78f119c00983f3d546cbeed2a8f110ed703f5c5b1b18733a235b5fd0b02 26 19
Greenbug Espionage Group Indicators Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) f29ccc5a8616c9c1119e794b857a0425268bf5ee86863b612092ec5e045863ed 26 0
Indirect Command Execution By Program Compatibility Wizard A. Sungurov , oscd.community Sigma Integrated Rule Set (GitHub) d4b25cba1a95e034ae6766147690611472b8ce274332b1aee27da6faa04335a0 26 2
Potential Keylogger Activity Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 6e703d50e111ee23983e8b6aa4d4451e1e59158b2bb8bd0c0a7bbe38c708c4e3 26 4
Potentially Suspicious Regsvr32 HTTP IP Pattern Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) bb39752a4e439774cfd5a035f61c530f6c75b6d694b088178e6c155f78f5563d 26 1
UAC Bypass WSReset Christian Burkard (Nextron Systems) Sigma Integrated Rule Set (GitHub) 03fc63d53dd6f6eeb7fef5848db2e4cd11fc7177c187c398320bb3934b751d87 26 14
PowerShell Set-Acl On Windows Folder - PsScript frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) afd1a2b3a7d64a4c20cc388003d71422020c407abe143fe186e350fdcac57a3c 25 16
Renamed SysInternals DebugView Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 1de55c288a6fd75ce590378bcc3b9bf02a66b8d45de5928d17d08339f5182586 25 1
Scheduled Task Executing Encoded Payload from Registry pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport, X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 5e1d76eef43af47ab79dcfbdbb15919232ca5646aef7cc201d8aa1191b2d67f4 25 0
Use of OpenConsole Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a98f3c123f3a93c1b00c4d125f1350e14a15b206767e6a109767a0229611baa2 25 22
Windows Backup Deleted Via Wbadmin.EXE frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 9aae4742b47a403c0d2871d344a6076cd6b797a267bbe2d0b85e607927ef3dc9 25 0
Add Windows Capability Via PowerShell Script Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) f0193a082ffec8bb49a0621541982fe0c6a2ba5f5b536f62789f83021ee4270a 24 14
Delete Volume Shadow Copies Via WMI With PowerShell frack113 Sigma Integrated Rule Set (GitHub) 57a9202655d8133d3a5eb0a9d51c9f5dedb6b15cfc700005f6f0d686df4f2ba2 24 0
HackTool - LocalPotato Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 3830810896e4e4a4cb02898a844b8488dd8240175e569b96a950d8ae6bcb9c88 24 0
Raccine Uninstall Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) ce4fb10349cd95756b2f98a27b259d71c99ec9e0323815f2e916737fcbd1d4ba 24 0
SafetyKatz Default Dump Filename Markus Neis Sigma Integrated Rule Set (GitHub) 5b2f81ece2c70e3e5e4dd770e0b9c755c90c099bf527d2b257d43e1193585d13 24 0
HackTool - Certipy Execution pH-T (Nextron Systems) Sigma Integrated Rule Set (GitHub) 08313c93f25fcc42ac92fbc76a4534fa917a58a2272262a4f567000b39ad92ea 23 19
Office Applications Spawning Wmi Cli Alternate Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) Sigma Integrated Rule Set (GitHub) 4e7dcf0bdb7133795dc5f59a3dce3f19d7a78ad417e3b41e7dea915b76bdfd5d 23 0
PUA - SoftPerfect Netscan Execution @d4ns4n_ (Wuerth-Phoenix) Sigma Integrated Rule Set (GitHub) 53e5e8636d8080a796ec082b38a179449644f15cca57cd7531dc1f4fcca223b3 23 1
Potential Suspicious Windows Feature Enabled - ProcCreation Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 357a1509ab7f78c2a398c655fccc9dc788108fb9790efbdce90601bcd6d4b4de 23 9
Potentially Suspicious Windows App Activity Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 8402e63c9283e770df7e32f8492615ebfdafa4151c457b3333e29ee11564c4b5 23 21
PowerShell Write-EventLog Usage Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) fa5822a3aeab0960eda08e8d46a8126db47dc54aa6a0e0ae7a7163dc7fe9746e 23 14
Powershell launch wmic via class Joe Security Joe Security Rule Set (GitHub) 1f85dfeaa80a160e0d553a3ac8d1d5139a7622d4d146c43f52eedbe005757ba7 23 0
Sage Ransomware (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace 71d449cc65c29ab2e4fee214298f208b87225361a0f65f0f2e73bfd7875b1ef7 23 0
Shadow Copies Creation Using Operating Systems Utilities Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) 16e1527c32b0f67a6b8e3dfaa73ba62c13f73f46a6b0d5962dd823d9ecac933c 23 3
Use of Scriptrunner.exe Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) ee66b627cde43649f28de57c23b192a559378134d0f4b90b60b77109c8490d7a 23 1
LOL-Binary Copied From System Directory Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) f3c07a8418c3bded0e6f5bc97177ca9d501ba33f7bc9936b907b11f939603b14 22 0
Potential Remote PowerShell Session Initiated Roberto Rodriguez @Cyb3rWard0g Sigma Integrated Rule Set (GitHub) acad8e3e215caeb927f20d9296b9e48f54d909e55d58cb5b27bb4d334ab477a6 22 1
PowerShell Get Clipboard Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) Sigma Integrated Rule Set (GitHub) 524490479b353ff8d877b617014d2cbb9a65d782e87caae21e923760fd2ed255 22 1
Sodinokibi Joe Security Joe Security Rule Set (GitHub) c2ebed9de5119e2fc16078d56ef8c2d3fc9637ba785aa7893fe5cd6a3e1a3ccd 22 0
Sysinternals PsService Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 647bce287d915da46bf01fa65706878514260f75bea7273d4c5eee115ac0b031 22 6
WMI Persistence - Command Line Event Consumer Thomas Patzke Sigma Integrated Rule Set (GitHub) 2d6a5c8b5ff6663f305abc5b7d611b99089e2cf4ad71b0b3f9a89d8d05d71a89 22 0
Winword Drops Script In Startup Joe Security Joe Security Rule Set (GitHub) 04a0af687c3b9094f9252dc38ead308fae7facf86cb7e4bf728075c9b17ed9dc 22 0
DarkGate - Autoit3.EXE File Creation By Uncommon Process Micah Babinski Sigma Integrated Rule Set (GitHub) 72089cbe18d7a9e899b30d733717ba9daa4d7e1bda15025fd2e52a797163b8b6 21 0
Exports Registry Key To an Alternate Data Stream Oddvar Moe, Sander Wiebing, oscd.community Sigma Integrated Rule Set (GitHub) 9695789356ce1e4c280773e1a4990ee193bc17704d78da2b4acb48eed6061293 21 0
Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) Thomas Patzke Sigma Integrated Rule Set (GitHub) 84d018445ff2f74f3d42483a4605f7bf5d16da359866d95b1be54371131e5836 21 18
Microsoft Sync Center Suspicious Network Connections elhoim Sigma Integrated Rule Set (GitHub) c122f750d19364e5cdb16e7fcce3cd01da31e9d258cfd5dc255864758d7d44b9 21 1
New BgInfo.EXE Custom DB Path Registry Configuration Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2290f63e826d0001c4fa42b39ec48d3a1e3aedc34b3635748ac20257cccc3bde 21 7
PktMon.EXE Execution frack113 Sigma Integrated Rule Set (GitHub) 2718243600ba0f2b3eed38a165f571cb8da2eeb23fd54844632d62088a47ad03 21 8
Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) b027ab789fb9aae6408830caeec9ddb51799862bf5bc8adc8cfe393d6483a66d 21 4
Potential QBot Activity Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 0453733ce01d4d10623584c342bf2a905ff761f1fb7b0bfbadcb80e8d940c32b 21 0
Suspicious ScreenSave Change by Reg.exe frack113 Sigma Integrated Rule Set (GitHub) a87fe4afa527fd01cbb17ee26918bbf87dacf9b429f97ede32b8831532ec4d59 21 3
TeamViewer Domain Query By Non-TeamViewer Application Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 7f5bb3e63c485ed446ed15d107875dc222ef1503df0aa3b709ca9bd920eaba52 21 9
Execute Script with spoofed extension Joe Security Joe Security Rule Set (GitHub) 206390e3b1deba575d9f4b3f8321fd015223f5177a8f486a56f6d74cd51afab4 20 0
LSASS Dump Keyword In CommandLine E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 5e648013d43c5992b13c647c1b522a289f737e3c1ef665572f75f913fde57c5a 20 6
Potential Persistence Via AutodialDLL Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 164cdc408856848b0eb1ce6165a865e2b8dbd9fcf0b5aa393fd7f1af640ff05e 20 0
Potential Remote Desktop Tunneling Tim Rauch, Elastic (idea) Sigma Integrated Rule Set (GitHub) b0551b45d814be91563636b774668bc85acfc296a30640e00aa036f4813d0809 20 4
Potential SAM Database Dump Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 80a403e95306ff656dab00a85d9565922c30f10b9cceccba105e76eedb357bc1 20 7
Potential SquiblyTwo Technique Execution Markus Neis, Florian Roth Sigma Integrated Rule Set (GitHub) 293439c3a9a4af09073b054953f425c95028a6ac98eddc611a461090bd1f3373 20 0
Potentially Suspicious ASP.NET Compilation Via AspNetCompiler Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 58f889a08ad6ce38a9295b6b87119a8d48c26999c14dd5829b08aea2631a5e27 20 0
Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 810120d4a8fae64091e6c4056b2ff78e02b530e2b6ecce817ed590937d637f16 20 4
Taskmgr as LOCAL_SYSTEM Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 1d1e002f037bffd9b91901474efbd1036622a788849898b81570d37d3ba34513 20 0
WMI Execution Via Office Process Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) Sigma Integrated Rule Set (GitHub) 58a51088691ea6b0bb320e61f961a96216f54913353095e97a5b5c6e94ce74fa 20 0
WMIC launch script from xsl file Joe Security Joe Security Rule Set (GitHub) cc58aa96e11657d0df0ee460019755b19a5929a979fdadd56569d6b35c03fdba 20 0
Anydesk Temporary Artefact frack113 Sigma Integrated Rule Set (GitHub) e10fbca4d86522aeac83abdc331770c474bf85a4fbe87cff23642eb6a498969a 19 6
Bad Opsec Powershell Code Artifacts ok @securonix invrep_de, oscd.community Sigma Integrated Rule Set (GitHub) c536e387a5fd3183e46be3c9a492ab73e5ade9b45179341ea25fcfe383cee92d 19 1
PUA - Wsudo Suspicious Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 52ed387697917fea6508ac90f395dedf45d52b74d34188d52bf6be42b4ab9697 19 7
Potential Emotet Rundll32 Execution FPT.EagleEye Sigma Integrated Rule Set (GitHub) 4e5ef297fadbdf1fbd3c57b71841275af9687495d2f45e59fcbabdba98315434 19 2
Potential LethalHTA Technique Execution Markus Neis Sigma Integrated Rule Set (GitHub) c1db9b15fbf203a696f2047d6ce2c7c32283587487a72c4333b63b8005e6a37c 19 0
Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) b781bf9d3f406d9c4af525fd205bc5651cf5222b563981c53c4fbd9e36ad1407 19 12
PowerShell Downgrade Attack - PowerShell Florian Roth (Nextron Systems), Lee Holmes (idea), Harish Segar (improvements) Sigma Integrated Rule Set (GitHub) 68dfd4dca345ef6d2fe87835db75f6e538426102929780a6f37dddb7730cb7e8 19 0
Renamed Sysinternals Sdelete Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 7d63599d287fda108a45075e54ff5b89384e0fbceef8bccec56b981f485b278c 19 1
Suspicious Key Manager Access Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) c7e5c778b0f4b6273f393fd9e32d97fe4145b2b1b3a8de87a9e02cd66f9c4383 19 15
Suspicious Processes Spawned by WinRM Andreas Hunkeler (@Karneades), Markus Neis Sigma Integrated Rule Set (GitHub) dff6f482b1c3296a1eba449d732fe05e7b9a61f56c3849298ee9d06cec81c941 19 0
File Encryption/Decryption Via Gpg4win From Suspicious Locations Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) 18478181b6b617e46cc3c32642d9a39ff265353a398f2aa515a11e6b0fc2097e 18 0
Netcat The Powershell Version frack113 Sigma Integrated Rule Set (GitHub) afccc7dbdf0a361ce026bc9a376283952eb427865b9051cc07fd5ff5ed819482 18 0
Old TLS1.0/TLS1.1 Protocol Version Enabled Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) e7999f5a682142d347ffd96c83545986ff1386f44917a1a86cc4d39b4fa2b8c4 18 7
Potential Data Exfiltration Activity Via CommandLine Tools Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 10f9b0f9e2b7be69811ff067e358984311772914e6957f50adf963207948fe4e 18 3
Potential Mftrace.EXE Abuse Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 70d88530c350b96b4e059f6e128a58c0cce646e61c82107835f0204bdb1192bb 18 0
Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution frack113 Sigma Integrated Rule Set (GitHub) 9c3168b8b2ff965a5cf3ed36f4ce722df9e09021fbbc44075916c77d2132bc8f 18 8
PsExec/PAExec Escalation to LOCAL SYSTEM Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 95ab10477326346ad231600df85597b403502c24947739b6a2b5bf75469a3024 18 3
Suspicious Sigverif Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 56643225c1e622a648289fb75934bcf15ac76a8bdb22a911e9f06d61e7db7077 18 0
UtilityFunctions.ps1 Proxy Dll frack113 Sigma Integrated Rule Set (GitHub) 49b5176aaffe3fdb7bacc0dff70b5ac48bf0872faf993e311c4f5530db76a160 18 14
CrackMapExec File Creation Patterns Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 025208b5b73f1640ce17844eb62f40d4ee3a9bf72b84c9cf66b9777b72e2ed33 17 1
ExtExport.exe abuse Den Iuzvyk SOC Prime Threat Detection Marketplace b74bcba954f168601bf9276abbb38f732599a67e11aa264ce29f8bc3f056aed3 17 13
HackTool - GMER Rootkit Detector and Remover Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) e47f51603e07d3225e0193822f65d9ce5fb78441750008f7e5ae695626585c7f 17 0
HackTool - SharpChisel Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 23eb4319cc6c1995a632adb591fa9b089822a7ef6061519fdc43832fac6bfb69 17 3
New Service Creation Using PowerShell Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) 7295161a311508a2b2b0c90fa652ea09872640a00c671f294d6a4780a85b83c2 17 4
PUA - 3Proxy Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) b64369f53ef70c3d7e1d585af2907c0131463758488f404288df85bbb2891ee7 17 0
Potential Snatch Ransomware Activity Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) d48381be3227e49cd9d42fdf472184d9e4db1b4fbe72ee6048739f0af5913e9f 17 1
PsExec Service Child Process Execution as LOCAL SYSTEM Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) f568e89bc8387361d0bc168c8a46059280d10de1ecffdc0e99533b7b290401af 17 1
Remote Access Tool - Simple Help Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) f5bf8f63db9709b4fe83cff6a47977397b7d9b5122302643931941983a6f0d9a 17 0
Security Software Discovery - MacOs Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) 96f1ded9c8d78d6aecb533a9fdde682e09aa97bc94f4d21bd39577705c1d7547 17 5
Suspicious Child Process of AspNetCompiler Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 740b947f37e23aebf12426023d92751904b9df145f63f09b91fdabf8d5aee1bc 17 0
Suspicious Remote Logon with Explicit Credentials oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Tim Shelton Sigma Integrated Rule Set (GitHub) 3f8d6ccb4e7555cba08aa888810b970a1a0a1f79d2a65b51f323b466542ae099 17 4
Alternate PowerShell Hosts - PowerShell Module Roberto Rodriguez @Cyb3rWard0g Sigma Integrated Rule Set (GitHub) 5b34558f1c4d3065989635055533ba223585e99be44e2b0e319dfc6946c50ee2 16 10
Dacls RAT (Lazarus's Linux Malware) Ariel Millahuel SOC Prime Threat Detection Marketplace 79cabd2716a91ac3ac201a106a3c135e584d110d8527ac138457a5b89fb2b2a6 16 16
Enabling COR Profiler Environment Variables Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research), Jimmy Bayne (@bohops) Sigma Integrated Rule Set (GitHub) 54d006ecd6dae89f884b01b6fbaa0d8010a9ab60d59993aa4d10c45146c3b4ca 16 10
HackTool - Dumpert Process Dumper Default File Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) f98998b2f0e9bb08954d741777bfdb257c7cb3dcce96f88af84ecf966e2e5695 16 0
Import PowerShell Modules From Suspicious Directories Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 8d3babfc30026e6742962ab48698047f9a8036f0689ca28804828a0f4c74c1a6 16 14
New DLL Registered Via Odbcconf.EXE Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) e5548908b8b99ebdd4de66bfaf33ddcef3df5c1a83d217f9809e9a2eeb0a8e1f 16 6
Potential Chrome Frame Helper DLL Sideloading Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) Sigma Integrated Rule Set (GitHub) 5b77fa52ebf2a5c351fd8dceea7d49b56575b2380b0a9487f4c0707000e2619f 16 13
Potential Meterpreter/CobaltStrike Activity Teymur Kheirkhabarov, Ecco, Florian Roth Sigma Integrated Rule Set (GitHub) 22ddfce5e8a79e957f4dbdceb97e27d764b010d395a20fd45cf95a20d02b53e9 16 0
Potential Persistence Via DLLPathOverride Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 19aedbf22a521287747df9d67d6f407fc9649a0c68f0cc7799c606dc1d952532 16 16
Potential PowerShell Obfuscation Using Character Join Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) c4862257a12a109601071c91c17d133a44fa8e8b4a3f950b8bee653e573678bb 16 4
wmic launch powershell and execute encrypted script Joe Security Joe Security Rule Set (GitHub) 016a456c70d6e45a65219e2ee0e3972cd7104bf98c318e2f088a07f71fde0d43 16 0
Abusing Findstr for Defense Evasion Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) 47d19568dce3538a5fd8f2ddbd8388f28dbd91d200dc9a91d8166cb957ace155 15 8
HackTool - CoercedPotato Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 665180f2daed28e41508871b665e63276343206dad8c8dbd86bd97bab857f5d2 15 0
Office Macro File Creation From Suspicious Process frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 8f4f518c1c5f1faa9ad744166d845016dc78c82b4c7f38011fa687462b1afa18 15 2
Potential PowerShell Downgrade Attack Harish Segar (rule) Sigma Integrated Rule Set (GitHub) c2de0fe89604a2026e004a0872e75e079b8632fcc9ef341e34017c52fbb2eba5 15 7
PowerShell Script With File Hostname Resolving Capabilities Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 230d92ec3109cf1df60e1e9e3af5b45cd871c5458a607630ae6655e5d373e629 15 2
Suspicious Use of /dev/tcp frack113 Sigma Integrated Rule Set (GitHub) acaf2d56329609a17ef157534fe784b3570d4c344a3eff25b493f541a2526056 15 7
Sysprep on AppData Folder Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 76d39c4238c645e864f006400ab59ebda393cfe12db20d6f7ec44eac3b27f6b3 15 1
Windows Defender Firewall Has Been Reset To Its Default Configuration frack113 Sigma Integrated Rule Set (GitHub) 00b96bc8d00802244409c54614fa31f98fe83547c5c43f4fd78e891c16f792e2 15 1
Allow RDP Remote Assistance Feature frack113 Sigma Integrated Rule Set (GitHub) 166df8c1d3e7f7c5a9fbd54dfc633614e8f49352354a3f5d9fe7ea04de73be78 14 7
CodeIntegrity - Unsigned Image Loaded Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) b306695b6bb97e25e9d1a099c04eef42798259832fb062ad308fd797016c49d5 14 13
Creation Of Non-Existent System DLL Nasreddine Bencherchali (Nextron Systems), fornotes Sigma Integrated Rule Set (GitHub) 3177080de9eacb01db500eb08111e0cbe691a57ed11d8bbeffacd6e8ef6e9b2f 14 11
Credential Acquisition via Registry Hive Dumping Tim Rauch Sigma Integrated Rule Set (GitHub) ba431c90356b826afe0f0c811dab13c54cbe689123f1167962b6bd8f23edbb25 14 1
DNS Query Request To OneLaunch Update Service Josh Nickels Sigma Integrated Rule Set (GitHub) 3141ca54d65e69f8e114e2bc754b4e0fdd364ecff79dddb87ef2f62ad895ec46 14 1
New User Created Via Net.EXE With Never Expire Option Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 4fa8ae2d822b83429e6b1a89ab0c9e8f9a3e769aedaf64ec7147fb1339f9f2f5 14 2
PUA - PingCastle Execution Nasreddine Bencherchali (Nextron Systems), frack113 Sigma Integrated Rule Set (GitHub) fd0cd897f506978ff6667a20ae3279271012ea71e5721e9fc659e91605c9ceaa 14 8
Potential Fake Instance Of Hxtsr.EXE Executed Sreeman Sigma Integrated Rule Set (GitHub) 8dd172636988b9cdc1bf44aaceb27f6009d97516c54decea0812022b61cd8d7a 14 13
Potential Persistence Attempt Via ErrorHandler.Cmd Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 118315680d9be2facc48920f16da11dcf001dcab58a40dfb2466c3118eaaa4b0 14 2
Potential Persistence Via Scrobj.dll COM Hijacking frack113 Sigma Integrated Rule Set (GitHub) 9d0ab0b7154dbe461f0e116296f545e8955e0c85892bcff2de2b680e29ba2af3 14 6
Response File Execution Via Odbcconf.EXE Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 18ab8cf17024175e4f1d5ec237de24dcfb16890beb4847d0e90e79e0c59cfc85 14 3
Scheduled Task/Job At Ömer Günal, oscd.community Sigma Integrated Rule Set (GitHub) 4b0543e80b3bd16b1e6ea919e7bc4a108b206468266597c7a5147cd615f35fe3 14 12
Suspicious Reverse Shell Command Line Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 8e3a8f0b4e0bf72703dfa7509e194c8bd77b591184bf65292cf9c554fe5d7149 14 6
Suspicious WindowsTerminal Child Processes Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 38cc71193a6a791f4d2ddb67fdf3a6baafab25ec9f4c861b11fbdca1c94a3f08 14 0
Vulnerable Lenovo Driver Load Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) b05e5f1c810aad917ec95aa917177c7a3075f44d37d2ed2b21e953dc69c99eae 14 0
Bazar Loader Detection (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace 6e25203533b4bcc3b9ce1805fbf4ec196d2fd6139dcf17880caf0e2952c3ebfe 13 0
Copy Passwd Or Shadow From TMP Path Joseliyo Sanchez, @Joseliyo_Jstnk Sigma Integrated Rule Set (GitHub) 8ded73daf32e44d8446fc45b91e962b9508d911e85c06d0481f7c4321eba41fd 13 1
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Timur Zinniatullin, oscd.community Sigma Integrated Rule Set (GitHub) 7943e73e12090a40bcc5a95e498a4655704cd76a8f1cc15acfef595e7f85a442 13 0
Linux Recon Indicators Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 89dfaef258fef652c6b4ad4126f6bccece50ba696d0208cfc0aed440c1a9ab20 13 4
Lsass Full Dump Request Via DumpType Registry Settings @pbssubhash Sigma Integrated Rule Set (GitHub) a3907c9a6a9a7e855b8ae2313f70c84cb7ed140f7e46502006474974da28e14a 13 3
Network Communication Initiated To Portmap.IO Domain Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 8686efdbc7ea9cff439cb7c01cac6836d2b4863b942ce75b26f9b6540975552b 13 0
Potential CCleanerReactivator.DLL Sideloading X__Junior Sigma Integrated Rule Set (GitHub) a8fd4a570107258e03b26b713f8828ce9b12422ae791b631ae9f0d43db3d7c05 13 13
Potential Memory Dumping Activity Via LiveKD Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) f0f9d14e111aa91965d2d0a99eb4d846dac08daabfd373803a6a7e4fa61fc4ba 13 1
Potential Pikabot Hollowing Activity Andreas Braathen (mnemonic.io) Sigma Integrated Rule Set (GitHub) dfbd5340c469a9808e1924fb200f0b7bc6a8c9064e9f1f3f31aada63ba5a81f8 13 0
PowerShell Base64 Encoded Reflective Assembly Load Christian Burkard (Nextron Systems), pH-T (Nextron Systems) Sigma Integrated Rule Set (GitHub) c29bdf15b24c1c0a11c8652a68f53594b306a585e56099b3a1b22cfb438e5247 13 1
Suspicious Get Information for SMB Share - PowerShell Module frack113 Sigma Integrated Rule Set (GitHub) 8f4c645fe661dc0ebdeff288f1761a20acf930f02e4c51bc48e6bafc245c1006 13 8
Suspicious PowerShell Mailbox SMTP Forward Rule Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a9b0d95e9a34c915ab22d89c790c054977cd6411f4fdebffa6e36f09e5376c9c 13 10
VsCode Powershell Profile Modification Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 59db8591e12ce774c3ed205213760eb2341a6314257edbd898e991ea42d98e80 13 11
WMI Backdoor Exchange Transport Agent Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) b02fbc5fd12d501dbd78749545483c506550bfb474efa9683e58ac4b2e4211b0 13 11
CertReq.exe Lolbin Den Iuzvyk SOC Prime Threat Detection Marketplace bc9b5e9188d37350da57ebc0b5b9ccc8a2ee828e827a15edb38904b64317a291 12 0
Cobalt Strike DNS Beaconing Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) ae9cf008e7075ab1e5658ff0f1449d564314bf06bb13fc381dda84df5e63e523 12 0
Connection Proxy Ömer Günal Sigma Integrated Rule Set (GitHub) 70f387e708b9ab503041091a0b074a7d2aa84dea74f61b398fa6fc3f154dacaf 12 8
Defrag Deactivation Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1) Sigma Integrated Rule Set (GitHub) 8428866bf6cbf8ea04c18dc9a8ebd493a8a882a9b706b557f71d376cd69fda79 12 9
HackTool - PPID Spoofing SelectMyParent Tool Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 1b73c8337d65bc8a945dd977fe40a0c1b9ef6b3e5b6fee0703621d9a088a9e48 12 1
Install Root Certificate Ömer Günal, oscd.community Sigma Integrated Rule Set (GitHub) ec31a3e8dcd4d55b032d9d6697f403b4260762840a75ef84a25fec68f4d78fd6 12 11
Malicious Driver Load By Name Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 906bfd56d8137360d8bf73ae2a77e12c06e9fcf42bbd522bb44ec062c598a74c 12 0
Malicious PE Execution by Microsoft Visual Studio Debugger Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community Sigma Integrated Rule Set (GitHub) 833d1e3036176fa960339790e9389d39187ba0c444aa4b1f1d3adc81c860b9fd 12 0
Permission Misconfiguration Reconnaissance Via Findstr.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) c26472b8ef978b2519ce5cb30b5d30baa08b0717a6302fcbfc81a2c8ebde884b 12 0
Potential CVE-2022-26809 Exploitation Attempt Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) a212f91d8c2a0d339c91a9344ae02c2847e74c85458506b719d65b59e4e79069 12 0
Powershell Store File In Alternate Data Stream frack113 Sigma Integrated Rule Set (GitHub) dabcdcdecebe87ed3085b193d3ed09029f3556672622b42d5759dc816f0b6173 12 6
Remote Access Tool - ScreenConnect Server Web Shell Execution Jason Rathbun (Blackpoint Cyber) Sigma Integrated Rule Set (GitHub) daae21f683167b21c52b2d5cf76621dcdb8d8f60b79337e74692181948d4cee5 12 1
Scheduled Task Executing Payload from Registry X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 746f7076c751ad73e28f35f1b0cf28741457217c7d9eeec546aae0616ccd5ffd 12 0
SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code frack113 Sigma Integrated Rule Set (GitHub) 37beaf97b85714dccecd452e684c29d067adea49095ddf3ec6631dc8acf14337 12 0
Tycoon Ransomware Ariel Millahuel SOC Prime Threat Detection Marketplace a1c44f103e75c8295cdbb587af4bac07f2b77445d54c17a424e7dce924a981ce 12 7
Uncommon Child Process Of Defaultpack.EXE frack113 Sigma Integrated Rule Set (GitHub) 33c04ff56fdad87a0289647b36de2841f4a6fa4866c8656a4005c9f9048ce732 12 10
Add Windows Capability Via PowerShell Cmdlet Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 684b246bdb157e11d1985c522a8f891d7dfea0ec8d30864c9e2fe04cc9564973 11 1
Adwind RAT / JRAT Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community Sigma Integrated Rule Set (GitHub) 211f7156257e48d853aa431ddfc3fc7b86ca8dabc95f61553575d821ab58fd76 11 0
Credential Dumping Tools Service Execution Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) 25727cb75bc931bc91e433f5340be32ccedd13bf460a2fd8da5b1a8d8b4a369b 11 0
Hidden Powershell in Link File Pattern frack113 Sigma Integrated Rule Set (GitHub) 9e321ddc9cddac65fd520665184681e53aedaf0652832edb168aa27ac04e59ca 11 0
PUA - CleanWipe Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) ede87d3abc8a99be3ca19ab4102e923f13e3f7b181cde6eddea9e6f1593b1e77 11 11
Perl Inline Command Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) d7702078dd10096eb5abed05e061a8a1faec0e7904a86b6b39f6faaaa294190c 11 5
Potential Application Whitelisting Bypass via Dnx.EXE Beyu Denis, oscd.community Sigma Integrated Rule Set (GitHub) da46c4a25c9b1a9291dd79b4539957b5ab71a6f2d75da9a90cfe48f74048a9a9 11 0
Potential LSASS Process Dump Via Procdump Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) a6a60c80601bd33b44e65b559f9e53c0b9237ab7f54ca97530065cd494662e3b 11 1
PowerShell AMSI Bypass Pattern @Kostastsale Sigma Integrated Rule Set (GitHub) a7940883a0164e9f8e04f1c88ad85ebf44ddd11d7a06aa93f7c42c3111a33d01 11 0
Qealler Detection Rule Ariel Millahuel SOC Prime Threat Detection Marketplace c8b5691bd0f6cb0670869259285160320643f60ba111d9c93b81c6bc5e088037 11 6
Suspicious Keyboard Layout Load Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 1e8253d40fd15968a25971ec64e35f84f90536676b445d16184bde41a5fc6ba0 11 2
Suspicious SYSVOL Domain Group Policy Access Markus Neis, Jonhnathan Ribeiro, oscd.community Sigma Integrated Rule Set (GitHub) ff263a69e24c4173f3baabd03b59d71e2dd4679b248e9bf0851bd9852043117c 11 11
Uncommon Child Process Of BgInfo.EXE Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community Sigma Integrated Rule Set (GitHub) 3a9675abeacca74d231073efcc4c362ddc755278240288e69cd34b2f2052cffc 11 2
DirLister Execution frack113 Sigma Integrated Rule Set (GitHub) 1f0dfd07d0caa1048bb3bb336c0d72bf884362c570c7a4bd683aa30e5f81ea19 10 2
File Download Via InstallUtil.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 74bf8f7775d6752c01caa0e5567c487ed43033b01b06fd72118ddb922ba1fae7 10 0
GAC DLL Loaded Via Office Applications Antonlovesdnb Sigma Integrated Rule Set (GitHub) 10c0778367f03c51cf9136815b90c0d7a820fa857a135c645c55014481fd1395 10 0
HackTool - Hashcat Password Cracker Execution frack113 Sigma Integrated Rule Set (GitHub) 9621c87be63b1ea5e038a8d2759bc0bbe6a5ee4f322b9763fdc06f159d781698 10 2
HackTool - KrbRelay Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 03e06bc61499c16b25ec22e9681f9e9633dc812e30ec543e7a5105ecbf3220f4 10 0
Invoke-Obfuscation STDIN+ Launcher - Powershell Jonathan Cheong, oscd.community Sigma Integrated Rule Set (GitHub) 8bc4688c4e1827de8ac2769dd693f5ee1d6a3dd731e0fa459a1d47788bc3ab77 10 1
LSASS Process Reconnaissance Via Findstr.EXE Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) e3175b1068c342ed7e05a42913dc8cb72ea0167a81bf24fc620261d4ec40f78d 10 1
Mimikatz Kirbi File Creation Florian Roth (Nextron Systems), David ANDRE Sigma Integrated Rule Set (GitHub) 95885fc26cc231b01a2aec40f7e62fdfbb58e544c344b8698f80b7d9a67488df 10 1
Potential ACTINIUM Persistence Activity Andreas Hunkeler (@Karneades) Sigma Integrated Rule Set (GitHub) 58bd50bf4c2f3dee57aac7f6c2f5671bd781f59b9e71a8c191de01ef8cf53de0 10 0
Potential DLL Sideloading Of Non-Existent DLLs From System Folders Nasreddine Bencherchali (Nextron Systems), SBousseaden Sigma Integrated Rule Set (GitHub) a9e64c740dfa885688164e22b515ae2bbf72a98c9b78c4cc612d3789cd06b93d 10 3
Potential Persistence Via Shim Database In Uncommon Location Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 4ab73e958ae7c677f546adaf223074983fa1112cf7085c97a5dc943e6698e822 10 0
Renamed BrowserCore.EXE Execution Max Altgelt (Nextron Systems) Sigma Integrated Rule Set (GitHub) d41dfd30129ef96d21bf50a0af9161636d21ec67ec25000786a06ba54a7cb7b7 10 0
SQLite Firefox Profile Data DB Access frack113 Sigma Integrated Rule Set (GitHub) aa3ad15f592c022521aa6e4bc687dc3c181cea9b9343b55e1b909bc937113348 10 0
Suspicious Git Clone - Linux Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) b45fda745c28f956a8d08fcefc5abdf9259342cdae5876d32e23f0f97ff99d1e 10 10
Suspicious Regsvr32 Execution From Remote Share Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 0415bc3e4953b49601e59c9e77f268c8b8163cb32d777dc5a37b169f9fcbd8ca 10 2
DNS Exfiltration and Tunneling Tools Execution Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) b5eeb195cf8da826ce09652556c789913808b5869a15ad6d6771d084721b65e0 9 1
Explorer NOUACCHECK Flag Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 787401eca6027a528e035e6315ce80b537c4d3bd9944cfaad07ca911aa306675 9 2
HackTool - Jlaive In-Memory Assembly Execution Jose Luis Sanchez Martinez (@Joseliyo_Jstnk) Sigma Integrated Rule Set (GitHub) ef084ef7df4d6d338332a4adf3272c6d7b031a4529a2d7030ec19c2a0e0fe9fa 9 0
HackTool - PurpleSharp Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 8cdb5f2da7eb9e3002ce4bbdd8a373b7dcd25103b4373f9b672e54f74c5316e0 9 0
LOLBIN Execution From Abnormal Drive Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Angelo Violetti - SEC Consult '@angelo_violetti', Aaron Herman Sigma Integrated Rule Set (GitHub) 238344575bbb5eb706fb34305ba1e18c4f040fc25f6e6aede8cae2d0bcdc64fe 9 2
Locked Workstation Alexandr Yampolskyi, SOC Prime Sigma Integrated Rule Set (GitHub) b1f5ca9566ca9b549b32bfe57eee2e7ec1ae42a47aeba5cdf24c69c64e35dd5f 9 3
MaxMpxCt Registry Value Changed Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 8d70e32bf8761ec29c3041975705f1e2fae75bceb86dc470f68fb5470998ebbc 9 1
NotPetya Ransomware Activity Florian Roth (Nextron Systems), Tom Ueltschi Sigma Integrated Rule Set (GitHub) 641862d7e2c86cdcc7b53162395c508471d30b1911e0be65fb335d6208a110b3 9 3
Potential Rcdll.DLL Sideloading X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) 5ff2611b9e4afd1b48de5dbd0767a94154d20da0dcd882c34d36627964c17e70 9 2
Potential Reconnaissance Activity Via GatherNetworkInfo.VBS blueteamer8699 Sigma Integrated Rule Set (GitHub) 93d3c8484d953299cdaafb696acdb7e33fd8a569cd8682a0d501a122f2b8290b 9 0
Potentially Suspicious Child Process Of VsCode Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2b2fdd02e6d67b114c93dcec1de1de2532845d73efb0b0201ca22e901501832f 9 0
Query to Ammyy Remote Access Software Domain frack113 Sigma Integrated Rule Set (GitHub) 5d5ea99f7c040a6706db9d67e16b384eebe02132d410d1f9edc4131c8045469f 9 0
Renamed Cloudflared.EXE Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 873e85f733935e924e8f1fa74c1f9f11028b553ba91de13826d5333190210b11 9 6
Renamed PAExec Execution Florian Roth (Nextron Systems), Jason Lynch Sigma Integrated Rule Set (GitHub) 58a87adff5b80f1f00537e13c96a7a3ca3c24b661fb3d6f998ed9a120ad72ccf 9 2
Renamed PingCastle Binary Execution Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) eae130a350341508858739da2c40e1c506012a525ad9d8b3b5d36b422f8b929e 9 4
Spora Ransomware Ariel Millahuel SOC Prime Threat Detection Marketplace a656aafe4c0cca78f1ad9cc5fe8f97b01ab237e247591a7100edef559c032f30 9 0
Suspicious Package Installed - Linux Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 88da3a6d05ee5ef259c6d116e0929c1d37d2af45f89850ee23e504ea0c83de04 9 8
Suspicious Wordpad Outbound Connections X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) 5fdc0db01908f4a29aeb14a39db1c793260932e8fb9aa97303e48ec06d68ec24 9 0
Third Party Software DLL Sideloading Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) Sigma Integrated Rule Set (GitHub) c928de859419e27752e8b2fccceed03920e3be606bd678e119c3d5fe8ee94a9a 9 1
Time Travel Debugging Utility Usage Ensar Şamil, @sblmsrsn, @oscd_initiative Sigma Integrated Rule Set (GitHub) afad13c67de2842888c6d4678ab0ab46d7369e91b6c7fb525482e91294e4ccad 9 0
Check privilege of CMD via whoami Joe Security Joe Security Rule Set (GitHub) 07a05a43e0384cce9c41d6cb6ed256ebce6aea8c6455db044d755ece6063babe 8 0
Disable Powershell Command History Ali Alwashali Sigma Integrated Rule Set (GitHub) 9bad9ab33b286bb06b80490c60a3b9a1136560cf838d47ba48b3384b762267e6 8 2
Findstr Launching .lnk File Trent Liffick Sigma Integrated Rule Set (GitHub) 2db81575319b095e5240489dc39a6070fb3e587fb35a6c988f38cbc71fede886 8 1
HackTool - SharPersist Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) b0c69b8d2020a5d6c12bee42bba9e6d94b6b9045ea1920405133ee19546dbcab 8 0
LSASS Memory Dump File Creation Teymur Kheirkhabarov, oscd.community Sigma Integrated Rule Set (GitHub) b0e4aa7c882545a1b46a09c373f3abc99ee9ad92c5cb99e1b8764356501b3059 8 0
Msxsl.EXE Execution Timur Zinniatullin, oscd.community Sigma Integrated Rule Set (GitHub) ae7b576a3a4975bf50b43165f4c1f319c45da44af1dfb0c8ee9476258ac726d2 8 3
Ping Hex IP Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) a78012a975b5cccbdd9caf22ce8a5065aa442b2459190ab2a3a0b39e1eb66bee 8 1
Potential Persistence Via PowerShell User Profile Using Add-Content frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 9ed950c94ef5dce1af4ac6ba1eb25704edd170e1a75506e3095eb362e63eab6b 8 6
Potentially Suspicious File Download From ZIP TLD Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 03db66b3c4d5474f5f84d9a053f19cfcdcf35d396fad150f9e8cef0ca6218550 8 8
Potentially Suspicious Network Connection To Notion API Gavin Knapp Sigma Integrated Rule Set (GitHub) 9714bc1425872c757c1c3e386bccbb903df68beb44462bae73a91d08255201f0 8 4
Replace Desktop Wallpaper by Powershell frack113 Sigma Integrated Rule Set (GitHub) 0f1aa746beaad206dc77bb8542a498967f1fb26e0677a3fdf90cfd5cf5c22a75 8 3
Suspicious IO.FileStream frack113 Sigma Integrated Rule Set (GitHub) 08e71eab529494c6cef4d7f699f5d95c87b1d954ee61b6f061d7005246b726af 8 4
Suspicious Process Patterns NTDS.DIT Exfil Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 9c132dee2c953c2d2497b3e00b2cf2309bc1f44409b130f0e34af66f9edf8713 8 2
UAC Bypass Using ChangePK and SLUI Christian Burkard (Nextron Systems) Sigma Integrated Rule Set (GitHub) a334f66679d3e373f49f08113614e79457c624e8ef315085de12c285bc5d7d4e 8 6
Zip A Folder With PowerShell For Staging In Temp - PowerShell Nasreddine Bencherchali (Nextron Systems), frack113 Sigma Integrated Rule Set (GitHub) 70e3421aca89a28b1d599aafae9fdd903822e32a691eb39731812bc02f3b9dcb 8 0
Audio Capture via PowerShell E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) db002a5ffd8be8305184d197dda045b272ab439c9fc205a6ce985e3eb911df70 7 2
Blue Mockingbird - Registry Trent Liffick (@tliffick) Sigma Integrated Rule Set (GitHub) 047c4b3f6b03d9a7cd611e4baaeffab7d6854460859ecf302466ae225ddaf2c7 7 0
Bypass UAC via WSReset.exe E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth Sigma Integrated Rule Set (GitHub) ced1e1a1282b5d51ede1ac7a7dcc08496c538aeeb8bc6ecc1f72af56cd773d04 7 0
DirectorySearcher Powershell Exploitation frack113 Sigma Integrated Rule Set (GitHub) 59fea38f0030f37a8b1bcefb7450d7a94ba474f5e72db8b8f7a4850d643ad2e3 7 3
Enable Restricted Admin Mode To Bypass MFA (via sysmon) SOC Prime Team SOC Prime Threat Detection Marketplace 7b0a12d70498be6b75106baeadc6572fa8f03b6e6ce96998c3c84f14e5dd19a6 7 3
HackTool - PCHunter Execution Florian Roth (Nextron Systems), Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) 8046d8e3f3ef408857439eaf28938b362576b464ba00290a73789cfc2fb05d9d 7 0
HackTool - SharpImpersonation Execution Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 94b769b76d6dca121622b8559c3f5ed337893a1ee9dbbe67442d2f649a373b42 7 0
HackTool - WinPwn Execution - ScriptBlock Swachchhanda Shrawan Poudel Sigma Integrated Rule Set (GitHub) 608e6316d5e2bab30263ce4e9c051683feba8e73b13892340fdc8f3e39513ad3 7 0
Invoke-Obfuscation Via Use Clip Nikita Nazarov, oscd.community Sigma Integrated Rule Set (GitHub) cf3869e5aa623f0e8acc74d1afaf5036cb7bbbcb1418a1af1670aef332fd2115 7 0
LSA PPL Protection Disabled Via Reg.EXE Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 80855f8a9447aabc3c921b18396835e82ab35d2beb39b56f2d34d156ca2ac9ae 7 4
Netcat The Powershell Version - PowerShell Module frack113 Sigma Integrated Rule Set (GitHub) 53b2cd18791dffbcc1b31b49b26f0068d68f366bccb84e299cb79ddcccaf04ee 7 0
New Network Trace Capture Started Via Netsh.EXE Kutepov Anton, oscd.community Sigma Integrated Rule Set (GitHub) ed43493e84bcb41bf4a6e8d03279fa79baffdfa16300655622641d8b9754d344 7 0
New Service Creation Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) 0e01e0ac3c9d7b292996c00466851ff64ca8e3aabb384b096bddba88aa769464 7 0
OilRig APT Activity Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) 01364fb1c5ccb780456530afa742fccc7c5de42d1cbac829fd6f4c435888f499 7 0
PUA - CsExec Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) b2300d5d918bfa55070c1a6c9eef5422d85306572df402f76d8549d97778851a 7 2
Possible Process Hollowing Image Loading Markus Neis Sigma Integrated Rule Set (GitHub) fcf7620e2328b946e9b3d0f404695a61a8943ec4865dcb48e4be1d1094ac3196 7 2
Potential Persistence Via Netsh Helper DLL - Registry Anish Bogati Sigma Integrated Rule Set (GitHub) 4b4cd16c122f46fa70660a3d40c309ad3aa316bb78e9d0c38261a9e876f12932 7 3
Potential Persistence Via TypedPaths Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) ecac746e53261713779b4a2d6976c0747dd23e09ae800760119a4aa26f4ee527 7 0
Potential Register_App.Vbs LOLScript Abuse Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) cff1e1978dab401a82f456bac2436b263ce457f5ad9e3283c8d77f7ab885b87a 7 7
Potentially Suspicious Wuauclt Network Connection Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) Sigma Integrated Rule Set (GitHub) 797b0bc9c2136612087c0b95b2f7917f60d1429162e72a7207861e247618dae3 7 0
Powershell launch wscript Joe Security Joe Security Rule Set (GitHub) 2daf820a836b6725473b0e6ef3075aff5f25c39f1613ea91e098fa179d7a30a6 7 0
Recon Information for Export with Command Prompt frack113 Sigma Integrated Rule Set (GitHub) e49a78894a2986a5fb30eb4ab25cd648d87db2a35906c29afc8fa6d7664f5e63 7 1
Running Chrome VPN Extensions via the Registry 2 VPN Extension frack113 Sigma Integrated Rule Set (GitHub) 09e6a0408f2c734eee75232ab5bc1dd09b1be6e414b3e10b4d2f9efdd69c2311 7 6
Sensitive File Access Via Volume Shadow Copy Backup Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2904a54d46badb30ae1eda5e935bcbcc71f8a08303a31fb68bf9e1fb8f0f0858 7 4
Split A File Into Pieces Igor Fits, Mikhail Larin, oscd.community Sigma Integrated Rule Set (GitHub) 712e9f7f7214c248ff6777f914a1cf282ba49bc580bbbe4bb40a38cfacec7927 7 6
Suspicious Cabinet File Execution Via Msdt.EXE Nasreddine Bencherchali (Nextron Systems), GossiTheDog, frack113 Sigma Integrated Rule Set (GitHub) 4c0f8984146566700f953eb45fc4781e3347270de34abc6768ebafe2403c457b 7 2
Suspicious Reg Add BitLocker frack113 Sigma Integrated Rule Set (GitHub) 1e5c4651907cea569ba4493fc4d9c634d654da730dcdfa36412180bfb694dba9 7 3
Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 413ab718402521225cd65e7866d07b849a38758c52a3bf913da2fcc4bce26ab3 7 6
Touch Suspicious Service File Joseliyo Sanchez, @Joseliyo_Jstnk Sigma Integrated Rule Set (GitHub) 4c152035fe4a156a8598afe425e00c7fa018704640cedc3fc083405840db2324 7 2
Typical HiveNightmare SAM File Export Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) f89983755305fab46f3677edade72743effd233979db77ffa6c51a9d1fb4a18c 7 0
Certificate Exported Via Certutil.EXE Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 979cbccf990be909d4f159a82102389c4c0c7f925d721346e5eeb3ec66af615b 6 1
Cloudflared Quick Tunnel Execution Sajid Nawaz Khan Sigma Integrated Rule Set (GitHub) 202614b23ae8dbee79f1e984787e29f1b16b9952b40ce6cc71429a32fa9cacf6 6 5
Copy From VolumeShadowCopy Via Cmd.EXE Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) Sigma Integrated Rule Set (GitHub) afa46c9c99b3c76a0450a8c7dface8fa7a53dda1c62644f81fd73ced0a0d096f 6 3
Create Volume Shadow Copy with Powershell frack113 Sigma Integrated Rule Set (GitHub) ef1d2531cf3919c8ed1ffd678acc8325c41225368f4add8ce5d727f9d4f742ba 6 4
Detection of PowerShell Execution via Sqlps.exe Agro (@agro_sev) oscd.community Sigma Integrated Rule Set (GitHub) 541caef712c71465ca223d69670a2ef4826f41323f21f161bc699c23ba201602 6 3
Diamond Sleet APT File Creation Indicators Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) ddd1dcf7e7fcf2883a62f25b86d45a03612f001c32620254eb246b8e78d07765 6 0
Execution in Webserver Root Folder Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) d11dfd4a7ffb536505adf98a4b97c1540b6e89a26661bf9f238b4a4d8f3133a9 6 2
External Remote SMB Logon from Public IP Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity) Sigma Integrated Rule Set (GitHub) 676272e187514be2245c3e99449f737c2a5ccd25c5cc68d52d965c7638c25fdf 6 0
Get2 Downloader Joe Security Joe Security Rule Set (GitHub) 959a4fa9a66799f33b7f7ea4c82ec1869a3031768b47d0a7be1221b66ee355bd 6 0
HackTool - CACTUSTORCH Remote Thread Creation @SBousseaden (detection), Thomas Patzke (rule) Sigma Integrated Rule Set (GitHub) 7b0f6b7c0939954a4e8dd01dcda83d20044a57808d265a6697c3580fde333062 6 2
HackTool - EDRSilencer Execution @gott_cyber Sigma Integrated Rule Set (GitHub) 79d4d5d30b70f2ddc17cda1ca9f2f714a7e883df62fcb6b55b6d426dee3a450d 6 0
HackTool - SharpMove Tool Execution Luca Di Bartolomeo (CrimpSec) Sigma Integrated Rule Set (GitHub) 52709f1d022c43ed380f17238c6ef21a8c776d68962ee8bb294257a122e3f27c 6 0
HackTool - SysmonEOP Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 6fbc0321364b37bef63538725c9c7e8e9c0702db310e3060a5da9d201d72a796 6 0
Lolbin Runexehelper Use As Proxy frack113 Sigma Integrated Rule Set (GitHub) 0335799533ff0b89a5009e68973be7f6433ddf66282123e1845a58a8e8ec7b87 6 0
MSExchange Transport Agent Installation Tobias Michalski (Nextron Systems) Sigma Integrated Rule Set (GitHub) 7e012de38821878c4217e8f825643266daebb69300fb51da895c540db3ca6916 6 5
Macro Enabled In A Potentially Suspicious Document Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 7210b6208abd6826bfdb8d8666ae792549157fe8070e355cad577fd8f9ef6499 6 0
PUA - Crassus Execution pH-T (Nextron Systems) Sigma Integrated Rule Set (GitHub) 43a1d4f767ed0c719d573fd6ddfd62abcd7f8ebc365f97d7c2f83f9a7eeac91b 6 0
PUA - Potential PE Metadata Tamper Using Rcedit Micah Babinski Sigma Integrated Rule Set (GitHub) 8eb59cf451fc1b4a57d9996082ad83751d5fe59d20e9b3562534ccf7fa0a07ab 6 0
Potential Active Directory Enumeration Using AD Module - PsScript frack113, Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) e5d9812b15bcfd11818558302edf1cd1fdc52ea1a6ad66b17bb07eca4d7d8545 6 2
Potential Baby Shark Malware Activity Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 7e3c417e8dc74e72824b44e745f3abcd085e70e309ca15d279f127de94331f6e 6 1
Potential Credential Dumping Attempt Using New NetworkProvider - CLI Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 4777339ddbbc4185feac4c036855d36de485c1178bdd82acf02e02b9b3792f27 6 3
Potential Discovery Activity Using Find - Linux Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) d11f1faaade0dee2c5c9802c5ca3156a6b215ab8469e61f9b18a1632d913c1b5 6 3
Potential Discovery Activity Using Find - MacOS Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 5d89a75781e7f83d35cd5bbf56e6ff75e28edd5893d5b4e2b423fcb909152679 6 3
Potential Netcat Reverse Shell Execution @d4ns4n_, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 48eb2cf6fbed9e5a8ecd06131da8406600394a1db3ad8823802706b906a09f7f 6 4
Potential Network Sniffing Activity Using Network Tools Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) e0fec53c12094131d1b4e307c8e9dcea040e6d3cbb6b5eff0144c5a71473253d 6 3
Potential SNAKE Malware Installation CLI Arguments Indicator Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 776160f093a30c394ee06208302af31972f09fa9e8f5c8513d5875805b1036fa 6 2
Potential Tampering With Security Products Via WMIC Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) deb3cdf84cc34aa311e6bb923cb0b259584940b4e6d724a32706971b5147607f 6 1
PowerShell Console History Logs Deleted Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) c46b249f0117bfe33cadfcaf2c8bdae7fac2bdb7d0cd559e546090de4fe930f0 6 0
ProLock Ransomware Behavior Ariel Millahuel SOC Prime Threat Detection Marketplace 6f434a5ccf3c234c99a17756d76f7690d09d6c565f238cb77186e687baae2278 6 0
Registry Persistence via Explorer Run Key Florian Roth (Nextron Systems), oscd.community Sigma Integrated Rule Set (GitHub) 1e3577ce99797b69eb40df7b9839ea82c3529cc36c44fdf5f4966c1966c44799 6 0
Sofacy Trojan Loader Activity Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community Sigma Integrated Rule Set (GitHub) c070e2f2f992c0ce37ed49db72f4c8ea1c3a9cc853e61535bd2625b5ae688b78 6 1
Suspicious Application Allowed Through Exploit Guard Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 29b522d95420783d0a63b55dbd3354b097998d44c509743818e59c058b508fba 6 4
Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a8a088c8f88e78c7cc5ac33b30194b8a3087f2088063a607ae95d5f4ea54e273 6 1
SyncAppvPublishingServer Execution to Bypass Powershell Restriction Ensar Şamil, @sblmsrsn, OSCD Community Sigma Integrated Rule Set (GitHub) 8326a878ec5c1017e74941a7f45b60cfacf514ecaf4c2f5a787bfbecdc6bdf84 6 4
Use Get-NetTCPConnection frack113 Sigma Integrated Rule Set (GitHub) 84f3662b966321c45129926b0bf88e5845313e0cd9f0b7ec89f79f37c2fbeaef 6 1
Wmic Launch regsvr32 Joe Security Joe Security Rule Set (GitHub) 4bd4adb7096f2875c9d4780cebd4f8cc5d8f98ae072aa38aea08cb38ea623042 6 0
APT27 - Emissary Panda Activity Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 49512d886fa3e8d9595464c693fad4fb93dcbdbc537cda049dacce772f11f38f 5 0
COM Object Execution via Xwizard.EXE Ensar Şamil, @sblmsrsn, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) c0bd5b42809f6cdda07709c25bc0f42cbb0a674ce80ec8c63788ef1efd31cdc5 5 1
Change the Fax Dll frack113 Sigma Integrated Rule Set (GitHub) 1cd0c62ae8a59243c600f2ecbb1c6b3e7b207c19dfdbc91defb8557cdfecef34 5 2
DNS Query To Devtunnels Domain citron_ninja Sigma Integrated Rule Set (GitHub) 254c09638219aa6696f2e2081c648d3dd50771345f11602b8537de5853d0534e 5 0
Detected Windows Software Discovery Nikita Nazarov, oscd.community Sigma Integrated Rule Set (GitHub) 01357d5e887b9f5de970cbdf4e5303b1faff6ff0de49e5ae4c516f933c8a951b 5 2
Drop Binaries Into Spool Drivers Color Folder Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2ef7bdcb98df6e413074966907c161b915f676e3f947a452e418049eeed22b75 5 0
EventLog EVTX File Deleted Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2b0d9d7e9525bf270536360deae4be670fd711eeb30bc51caa119fb9f61e3293 5 0
HackTool - Sliver C2 Implant Activity Pattern Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 37af4676baf9c863ccb2ca099ad1368020d8f1969b80a3e8a21065525136ff56 5 0
HackTool - WinPwn Execution Swachchhanda Shrawan Poudel Sigma Integrated Rule Set (GitHub) 75a67459e117421972b0c39ee9d1c2780a77f3110cc7fdffde53730cdaa7bab4 5 0
Imports Registry Key From an ADS Oddvar Moe, Sander Wiebing, oscd.community Sigma Integrated Rule Set (GitHub) 004a32a3ac811e09e68ff3749364d27bd3064f5a8e6e2869b7b47cc6667b939e 5 2
Indirect Command Execution From Script File Via Bash.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 11020bcf53b965fedad4d6de4a0a624f9821c338f483405ea18ded010a551c50 5 4
Invoke-Obfuscation CLIP+ Launcher Jonathan Cheong, oscd.community Sigma Integrated Rule Set (GitHub) 96f143150cf12b082ad12ff80043a40ce507e50dbf6f4c6d68fb1f4f0cbe1771 5 0
NPPSpy Hacktool Usage Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) fe93afc27b2b53b9e4deb1b29d0172ddf97ab492beba618fda8529d8eb602bed 5 0
Nibiru detection (Registry event and CommandLine parameters) Ariel Millahuel SOC Prime Threat Detection Marketplace 8bbea961d969188574b7fe958c971caadd38b955cc77f21093d7d5d266e4d697 5 0
Operator Bloopers Cobalt Strike Modules _pete_0, TheDFIRReport Sigma Integrated Rule Set (GitHub) e730bec5d212d6a2c262a97a77cb0b3bf1ba182161a6648b1a4cf4936fede01f 5 1
PUA - Sysinternal Tool Execution - Registry Markus Neis Sigma Integrated Rule Set (GitHub) 35df1aeee1f1078e25bb64a8af513db99a7df8736e4847041fddacedf6b747c9 5 0
Potential Base64 Decoded From Images Joseliyo Sanchez, @Joseliyo_Jstnk Sigma Integrated Rule Set (GitHub) d17f74bd10224f28ca8ad151cb9cd1c5e19ae38f0575362101e7e3c2f0fb6414 5 2
Potential Commandline Obfuscation Using Escape Characters juju4 Sigma Integrated Rule Set (GitHub) 4ead40e4f0adc5e486cc7911fc0b0b94f05bfe0d27b5f0c2d24e0c803d089fc5 5 1
Potential Exploitation Attempt From Office Application Christian Burkard (Nextron Systems), @SBousseaden (idea) Sigma Integrated Rule Set (GitHub) 5b693c1a0e1c87bcc7e8b870deef8f3f2c0aa4be921233e7ff5379f3b1f85dfd 5 0
Potential In-Memory Download And Compile Of Payloads Sohan G (D4rkCiph3r), Red Canary (idea) Sigma Integrated Rule Set (GitHub) 000961bac8191e7ec977b21db664763efb7130c56f4cc8e908bfd4fd24f97824 5 5
Potential Initial Access via DLL Search Order Hijacking Tim Rauch (rule), Elastic (idea) Sigma Integrated Rule Set (GitHub) e6d0eea0a68b5abc52d30a4b096e43a13457c330945c48f0e430af2cc2e61bfb 5 1
Potential Signing Bypass Via Windows Developer Features Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 986893b548623816b5ae487b1583f58f990d71c70832d8464ad658f66e9da4b9 5 4
Powershell download file from base64 url Joe Security Joe Security Rule Set (GitHub) 197268256285c42b2e838f027388654e2a212ce987a525c6d95784c7abb2d786 5 0
Process Memory Dump Via Comsvcs.DLL Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 31766028cc56afd6db535a222ec9ffa3a26c485dcd759324e890434acf17a601 5 0
QuarksPwDump Dump File Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 4517db7f1f005bd0a18fc8081dbef15a21dede187d618c62699e3b1d8668580b 5 0
RDP Login from Localhost Thomas Patzke Sigma Integrated Rule Set (GitHub) 3895d9722610797e2eb09dca91e1a804bb4eec6cc1ca5b81a937f13e4adc81f6 5 0
REvil Kaseya Incident Malware Patterns Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) fc2108a980d79a05e920b28c15d995fa0652a1dda317ce1fa22da44d694541d3 5 0
RemCom Service File Creation Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) aaf9c0f6fae3f23d344e3886423f727248cb280156f92be90557e288adfb51d9 5 0
Remote Thread Creation Via PowerShell In Uncommon Target Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) b6b512a36600d72d464945b37dc5edcb606a3e429979c7f50e117d9a428ebaeb 5 0
Root Certificate Installed oscd.community, @redcanary, Zach Stanford @svch0st Sigma Integrated Rule Set (GitHub) 80e21a1883c10ba77d6f4a1b0b6903e9ba65d57e1874d2cd81b121f762481c64 5 0
Run from a Zip File frack113 Sigma Integrated Rule Set (GitHub) 5cf936f9d2feaada449504fe406fc44b2ee6f674a4433863662f135096618431 5 2
Suspicious Certreq Command to Download Christian Burkard (Nextron Systems) Sigma Integrated Rule Set (GitHub) 90480b0d96dd273a177b536ad0b17f114b0426bdb4c6e04d4692da954658bac1 5 1
Suspicious Get-ADReplAccount frack113 Sigma Integrated Rule Set (GitHub) 478761747645c9124bc13d30f52628821f5399cfaa18aa7299711991ff610f50 5 4
Suspicious Get-Variable.exe Creation frack113 Sigma Integrated Rule Set (GitHub) d3f846e7661da10674d978e09815c9157764a57fc6651e2b2f8cb498cb4220b0 5 0
Suspicious Non-Browser Network Communication With Reddit API Gavin Knapp Sigma Integrated Rule Set (GitHub) fb3b178eb2ccfc3d8efba6b381a3e6aa0dd226e4216ac1d696066c8cb6be3594 5 4
Suspicious Registry Modification From ADS Via Regini.EXE Eli Salem, Sander Wiebing, oscd.community Sigma Integrated Rule Set (GitHub) 7d40150efe45672b8a7928c4d3ccb55e1238e89ead72dc4a08390a907fc57c17 5 0
Sysmon Configuration Modification frack113 Sigma Integrated Rule Set (GitHub) abdfcf563f91cb4c9b132baa9fd47b92a1e20294c09c02d7571f6fe5505f21d7 5 2
Taskkill Symantec Endpoint Protection Ilya Krestinichev, Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 8cab8c8e34c5bf6c9ad0f509a28ebf3139e2d73c3b69078e57a1a63a0d5465f3 5 2
UNC4841 - Barracuda ESG Exploitation Indicators Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) ee7d4dbd9f33900a9a93c377bedcfab9cbc2a4baabbbd764d436f767635f603d 5 5
Usage Of Malicious POORTRY Signed Driver Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) b6bbc36542c77f8d058bdc271a081010f06acd3d3b84465a3ab065bc5723eb46 5 0
Use Get-NetTCPConnection - PowerShell Module frack113 Sigma Integrated Rule Set (GitHub) e69f9e383811e595a9561c923eddfc5df48f9e54f4df8fa281fcef6b501048ac 5 3
WhoAmI as Parameter Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 31e555cd1c55ce445dfd8bd7c10843187298b45b39b33ddf41b5bce83e212c86 5 1
APT 37 Ariel Millahuel SOC Prime Threat Detection Marketplace c53c2f741a37b554e1a5a16737f3c6f27a5818e8474ade69f599e8d18b6df51a 4 0
Arbitrary File Download Via IMEWDBLD.EXE Swachchhanda Shrawan Poudel Sigma Integrated Rule Set (GitHub) 43e02140c577391f4f448dee2a5252a421485f65e30fb1a8c5100dedc59e6111 4 1
Disable Microsoft Office Security Features frack113 Sigma Integrated Rule Set (GitHub) db422d3f89e405109467a926cbee52085ff1a33cf97bc054529a03a316dafa2e 4 0
DumpMinitool Execution Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) dd9440afb1ca0cf7997134c36af074fb136e90414cfd1d56903ab43e8c52b253 4 4
Group Has Been Deleted Via Groupdel Tuan Le (NCSGroup) Sigma Integrated Rule Set (GitHub) 985e3f8e0a9e16b289aeb9790dca44cc4fba4b0bc7ea20ad82dec4aee0ffb216 4 4
IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Nasreddine Bencherchali (Nextron Systems), Michael Haag (idea) Sigma Integrated Rule Set (GitHub) 4c210a3b529cf299f6fa37ab319ba3210295416f01a975321a00c8d6e61fe960 4 0
Interesting Service Enumeration Via Sc.EXE Swachchhanda Shrawan Poudel Sigma Integrated Rule Set (GitHub) 96388ced606f7e338e6e4e6b4016082f23db8c47bc9c0479bce4b46713bf52f5 4 0
Jacksbot (Registry event and CommandLine parameters) Ariel Millahuel SOC Prime Threat Detection Marketplace eed56e9a26e865b9accdc5a4ef7e681ca4b83deb2c6f21a65d28cac9e28547f1 4 0
Mshta Spawning Windows Shell Florian Roth Sigma Integrated Rule Set (GitHub) 464455b93d1b76acf868754cca0e609af558267671ad641714ca27a923efb9ba 4 0
Network Connection Initiated By AddinUtil.EXE Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) Sigma Integrated Rule Set (GitHub) b611a24b790a31aad876c02e032c02d5d2c1262d42e4b6dc4d773287467d66f4 4 0
Network Connection Initiated By IMEWDBLD.EXE frack113 Sigma Integrated Rule Set (GitHub) 785fda7f769e06444f3d969a9e64bac3cb1625df98e533dffbb90df45425e748 4 1
Network Connection Initiated To Cloudflared Tunnels Domains Kamran Saifullah, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 47d52697af45ed84c749feac994b3da38263445a349357d071cd866b73d61080 4 0
New Virtual Smart Card Created Via TpmVscMgr.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a9f01b952a8701fd70653525eead398a200949fadad6dbd431a57585a2779e52 4 4
Potential CobaltStrike Service Installations - Registry Wojciech Lesicki Sigma Integrated Rule Set (GitHub) eaeadfa6378455d35bc7d294a678cf68a5a8c6c2b5417d038a80d96bdf2e76de 4 0
Potential Credential Dumping Attempt Via PowerShell Remote Thread oscd.community, Natalia Shornikova Sigma Integrated Rule Set (GitHub) ed3831d20478d9b3e7a4bada4351902574fc0eb36fbfd51032119c477b94e4fc 4 0
Potential GobRAT File Discovery Via Grep Joseliyo Sanchez, @Joseliyo_Jstnk Sigma Integrated Rule Set (GitHub) f2b7e99557cee988b524bd2d2f8d377bafac5c0d25546caf506df8734c2578ce 4 1
Potential Provlaunch.EXE Binary Proxy Execution Abuse Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel Sigma Integrated Rule Set (GitHub) f004fe52f11323fd4e5294e8a42fcf163c1a8ae373c9be8ff16bd9aa0f8fc321 4 0
Potential Registry Persistence Attempt Via DbgManagedDebugger frack113 Sigma Integrated Rule Set (GitHub) 0764cda98bb00fbde3294e28d5bb3b95797a31d8931448c764caa0743451358f 4 4
Potential appverifUI.DLL Sideloading X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) 8964e214caef205f5e328fb9bc48c38223b6d8e1d6491c5427230ce74c9e0904 4 3
Potentially Suspicious ODBC Driver Registered Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) f7ec5b0533fdece79792bce469c843b6efc7bd40fd54811a5b3ba106ba6b29b2 4 0
PowerShell Core DLL Loaded Via Office Application Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 246dcaa188fd410c547358799f25f6bc9452279b6460d09f2655d188926848ea 4 0
PowerShell WMI Win32_Product Install MSI frack113 Sigma Integrated Rule Set (GitHub) 886a6cdfbfcbcfcde30e44f3ad1ba09800d648cd3e218d41751c49d0b38913e7 4 4
Query to LogMeIn Remote Access Software Domain frack113 Sigma Integrated Rule Set (GitHub) 44c5e7c7bdc6965af0ddf07703f708dcda09e583e4c473d7b247067132a8704c 4 4
RestrictedAdminMode Registry Value Tampering frack113 Sigma Integrated Rule Set (GitHub) e448d82f06478af407e6d655ffbea46e7a876deeda7f5ab28f9de6183e6708a4 4 0
STRRAT Behavior (Sysmon Detection) Ariel Millahuel SOC Prime Threat Detection Marketplace 37be2d5ff063bab1272d9db26a35c83920a7ad21e155ae6c12c1730446b5194d 4 0
Scheduled Task Created - Registry Center for Threat Informed Defense (CTID) Summiting the Pyramid Team Sigma Integrated Rule Set (GitHub) a586d9331b4964f9cac6b848f49a3c0ebfd82bb006193f6220dc52c27f525623 4 0
Screen Capture - macOS remotephone, oscd.community Sigma Integrated Rule Set (GitHub) f4a2d13a06a29fbf2313f88753ab9955589a7aef45cfb0faea108c5bfac59ab3 4 3
Security Software Discovery - Linux Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) 62a85e4a565b5b8609540a8aab58fbf730dd8330b219cb92da87bb5be582ebeb 4 4
Security Software Discovery Via Powershell Script frack113, Anish Bogati, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) f02d9a0f1e4d862f9d1b1d10a2f43de36d855212d5a70b671a8493d53a1b1722 4 0
Sideloading Link.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) d12dc80661a49ab922f3ed3b488e8a49f6edf53b777c918dc2f0b905b20d9bbb 4 3
Suspicious Child Process Of BgInfo.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) f927c3875e2266d2070993dea88e92da092e42fd5716dc5c8254d686fa0222a6 4 0
Suspicious Rundll32 Activity Invoking Sys File Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) f4b9a5aba26ac1d465f55970b8defeab4a4704def7889e6c296b0f33cd1fad27 4 1
Suspicious Scheduled Task Write to System32 Tasks Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 3da113395881b8606ab35684394038c9c59eb8dae1b899ed92a2c40df104f5aa 4 0
Suspicious Spool Service Child Process Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule) Sigma Integrated Rule Set (GitHub) 2445eef8bbfc5d52245783f3d3a39b67d2a9e863e057b9710358f473c4a0d9ed 4 0
Suspicious Use of PsLogList Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2a651ab66176323248a00a1c8f2e0c1d6e82ebbcb2c316bd3a1bce5391cc6b28 4 1
UAC Bypass Using Consent and Comctl32 - Process Christian Burkard (Nextron Systems) Sigma Integrated Rule Set (GitHub) 45716a61474d8af25ba7318e0bcc946490ebaf1a0ea6c9a73d6fa3d572e58ae6 4 0
Unusual File Download From File Sharing Websites Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) f57e9a5165fe649d867e207c503dd53a05dbd5175c68be9a369174832afc8614 4 4
User Added To Admin Group Via Dscl Sohan G (D4rkCiph3r) Sigma Integrated Rule Set (GitHub) 053a1a9c29702a8132865b251a7d79230d06f3985fe5d8f799079ea3f6748912 4 4
Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 213f3b50d46266ee33bedcd7b9691e39509b532ecaac33a9bd6bc6b9ebfdbc12 4 2
VolumeShadowCopy Symlink Creation Via Mklink Teymur Kheirkhabarov, oscd.community Sigma Integrated Rule Set (GitHub) 3b5b0346a9d3b5b510bfd33a67662439c44419ada001c73160bdcc75d76b2d3b 4 3
Arbitrary Shell Command Execution Via Settingcontent-Ms Sreeman Sigma Integrated Rule Set (GitHub) 1eb1f4796a2c05305c0e6fb961bac3fd02861464a7d6bc3d1a35461737101c81 3 1
Certificate Exported Via PowerShell Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 5d6cbfca798cb6cc7bd8029cf8dda1f2096f0f7f9a422bdde483cdc370a4ab12 3 2
Cloudflared Portable Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 0df6b3969a48add8dac066e0fb800e67f9c0f718cc0e73bcb8530f3ba4834c15 3 1
Communication To Ngrok Tunneling Service Initiated Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 66c8b63b56d52c8e957113c3f77712e8f387682164afca0cd844ddf44255d5a1 3 1
Conhost.exe CommandLine Path Traversal Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) ae01473f6fb2564e81d4c6e62699b0c4458725e8a9aa178c9ac3841d5af3b1fa 3 0
Disabled IE Security Features Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) dd832d1e805b850c68be7f120da6482e6126a8ee0860e3355d54604a2040eee7 3 0
Drops a DLL with WLL extension to the startup Joe Security Joe Security Rule Set (GitHub) 0a0b097696bd0b36b7d1443e446cbff6c2146d7a93cacaf2838ed0fe366b61d9 3 0
Equation Group DLL_U Export Function Load Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) a6d1a36dcfe72a6d78f5dd3b78c79bc294296460a9b3adcd993bdd6409046c7f 3 0
Esentutl Gather Credentials sam0x90 Sigma Integrated Rule Set (GitHub) 477a3302165776826dc440702e8eaed12303d2f1dc7a0fc02eb400d3f82f2e6b 3 0
Evrial Stealer (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace 9d5974817e9c9eeb05c8b60f23de31930c84cb3eb8d247767b7fe7bdbec4ad23 3 2
Execute MSDT.EXE Using Diagcab File GossiTheDog (rule), frack113 (sigma version) Sigma Integrated Rule Set (GitHub) c4a1cabbd4c25e14be0bd98c5770d2e94ad2885f8f505bddcd03978cf4ba0905 3 1
Execution via WorkFolders.exe Maxime Thiebaut (@0xThiebaut) Sigma Integrated Rule Set (GitHub) 50d292f837567defe72f24a4b91ee437943cd8f35d5aedcf15979d3d253d38e9 3 1
HackTool - Quarks PwDump Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 83fcbb048fc301513c7de88d6b54f969a6cbb28bee2de22baf8a56ee7c454e81 3 0
HackTool - Stracciatella Execution pH-T (Nextron Systems) Sigma Integrated Rule Set (GitHub) 91b5e23483ca6c8edbfa31c7fb6978213e819e3f968f35d109a7fb75c36c3deb 3 0
HackTool - TruffleSnout Execution frack113 Sigma Integrated Rule Set (GitHub) 2f2b803c7e154a72c734f5b9d5c3d332b3174757ed624c55dad5a52ad36934f8 3 0
Invoke-Obfuscation Via Use Clip - Powershell Nikita Nazarov, oscd.community Sigma Integrated Rule Set (GitHub) 1c3ea7c0333da16496964e50a5e57012a3b70695f952212351e08d08530da6d0 3 0
Lace Tempest Cobalt Strike Download Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 030738beefd23cc9aa74c61d31df8c293d5a9200d3ef5aafb5c65d9dd6ecfdb6 3 0
Live Memory Dump Using Powershell Max Altgelt (Nextron Systems) Sigma Integrated Rule Set (GitHub) 843f3a30bd6700683442b21bbfb20c59afbc32cc978b84e9b713a85d39d8cc90 3 1
Malicious ShellIntel PowerShell Commandlets Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) Sigma Integrated Rule Set (GitHub) fd4e3cdd5f9ec511509a9b456f37f38c1e40597b044a8b780d338b09445fcf05 3 1
MavInject Process Injection Florian Roth Sigma Integrated Rule Set (GitHub) f7232cef6ad5bca28b27340de367589ba9ef580c1abb6dd69d8f2005a6473a4d 3 0
Microsoft Excel Add-In Loaded From Uncommon Location Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 4076e4f038a7d6f293f6e47f60dcd57e4300eed4dc9d024dee3f73d33c6cdad0 3 2
NTDS.DIT Created Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 390c3febc49c9a0fc552532f457e9efc5156bdceeafb613044d35aab29b7124f 3 2
New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application frack113 Sigma Integrated Rule Set (GitHub) d7bf9b098435065f098535225724119d1065101149d54b78b79c5eb2ac3ee9ea 3 1
New Hidden Tear ransomware variant Ariel Millahuel SOC Prime Threat Detection Marketplace 92dd4e3ca17ea4f0bdfb71304a8fcbbd234749a15c0c26579fac17253c4b2463 3 0
Nslookup PwSh Download Cradle Zach Mathis (@yamatosecurity) Sigma Integrated Rule Set (GitHub) 6abd8206d99c8274a0842b1790664265abba050503b2bbafabfd33fd68b91cf0 3 1
OceanLotus Registry Activity megan201296, Jonhnathan Ribeiro Sigma Integrated Rule Set (GitHub) 5a41f82caece4fe65bbe71be9148baa62a842cabce69fc96f25fcdbf97f8008d 3 0
Outlook Macro Execution Without Warning Setting Enabled @ScoubiMtl Sigma Integrated Rule Set (GitHub) 2f07ac019282aa31e76811036780c9cb961d1b01262e2beeea4f9f7c17a906eb 3 0
Php Inline Command Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) beb929216e4b57c3b1275c3d5d5bf04fed77445512365bc0d3af736280b5b382 3 0
Possible Applocker Bypass juju4 Sigma Integrated Rule Set (GitHub) b9996fdb64c94bd97526744b8287a3b3b02ac4eceff0980c672209adae0be6e5 3 0
Potential Dtrack RAT Activity Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) fbcabbd5b0fb4855de3b0bcf6bd58239facf0733ad46f2269ef540d344acb5bb 3 0
Potential Persistence Via Security Descriptors - ScriptBlock Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 1f7de9310570e85851b78387f389d4afad2aec4f21a751de564e4d9dbe8ef806 3 0
Potential Waveedit.DLL Sideloading X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) 4c4ec335e3d6497145157f5feab27885dc6a95ae032af1e936e14e6ec130afc5 3 0
Potentially Suspicious Electron Application CommandLine frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) ef3162002154dc7e276e27ac75c84e2115776de86e92e17515db41702b0254c2 3 2
Powershell Exchange Snapin (via cmdline) SOC Prime Team, Microsoft SOC Prime Threat Detection Marketplace 1920836da8784b3f635f88d7c9216b6619a5f5613a5d53fefb342c817897a736 3 0
Powershell execute code from registry Joe Security Joe Security Rule Set (GitHub) 22f5c0268236153aea7f17b7fcb4e9a2ef903343534a9c2a98b5c1f8918bb9a5 3 0
Python Spawning Pretty TTY on Windows Nextron Systems Sigma Integrated Rule Set (GitHub) eb6deecc46500c9d451a514915fe89928aa77232bbaff37b89ff9964febc2f7e 3 1
Registry-Free Process Scope COR_PROFILER frack113 Sigma Integrated Rule Set (GitHub) f566e9fbc25004f90a7c502406100ff744d00b85ad929d568a47872238e1af75 3 3
Rename system process and copy to suspicious location Joe Security Joe Security Rule Set (GitHub) ae5e05ff7a2f5d6e654578b73a1ddc50baeec856b0ab003ad6852c80beb8b068 3 0
Renamed MegaSync Execution Sittikorn S Sigma Integrated Rule Set (GitHub) 5ed404c9cabd248ba80d6d5852fc81ff9c668726a632eb06be9595bd5b80d869 3 2
RottenPotato Like Attack Pattern @SBousseaden, Florian Roth Sigma Integrated Rule Set (GitHub) 5389e8a683229a6fb7e29cc17dff4e0811d8239798f60128c6f63871d4bececd 3 0
Schedule script as task Joe Security Joe Security Rule Set (GitHub) 80a5b002421fe7261fe436fe34fde2f1e2a0b5b1d5fb7fee3b2afe02f76952ba 3 0
Suspicious Desktopimgdownldr Command Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) beb013be28477c7cc6a96b5e49885366af682311b00c0ad036f6df272f0d73bf 3 0
Suspicious Dump64.exe Execution Austin Songer @austinsonger, Florian Roth Sigma Integrated Rule Set (GitHub) 5b1f1b40ef6ce717bbb2c8bc6cae3ad4d4530c3d907caaf29c131d784777fc01 3 3
Suspicious Extrac32 Alternate Data Stream Execution frack113 Sigma Integrated Rule Set (GitHub) 908072bc38c223e94e034ac7acafdfda27359b429525af331f388a7ef0e2b66c 3 2
Suspicious File Download From File Sharing Domain Via Wget.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2259e9f8814e4d6d8101a51d8c30fdf9734d413e0d7da0a3a122e607e3f1ebde 3 0
Suspicious Plink Port Forwarding Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) fd6a0f7521cf3dabf0d2ac45a1aed9f2e2029daa9d1fba9f71905bb34aa427ca 3 0
Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 665e2dd3eae60ab7cd97ffda7adaa13425a564ed16f8bba8bcfc43b8a5023919 3 0
Suspicious Set Value of MSDT in Registry (CVE-2022-30190) Sittikorn S Sigma Integrated Rule Set (GitHub) 08f4372e76fc0605c4e338fe71c656a918209c7ab03da84c96c5f8d99d4bc241 3 0
Suspicious X509Enrollment - Ps Script frack113 Sigma Integrated Rule Set (GitHub) 77e34e5ddd682fec92906cbab4f1a75be4ca9f043f76d91925f61910a08af10c 3 3
TAIDOOR - Chinese RAT Ariel Millahuel SOC Prime Threat Detection Marketplace e3cdbb4de2c006685f06e358196d7f41ab1098005328b93d9834acae72ddaef0 3 0
UAC Bypass via Windows Firewall Snap-In Hijack Tim Rauch, Elastic (idea) Sigma Integrated Rule Set (GitHub) 6394e0e9f8661be1f0a1006d948fbd4f1430543e592ee7fb29a34a6c6fded839 3 0
Usage of Sysinternals Tools Markus Neis Sigma Integrated Rule Set (GitHub) 1e33259c56ec61269739a1b6f2e7e13760703a505f60b194702ff716a6fe0fbc 3 0
VHD Image Download Via Browser frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' Sigma Integrated Rule Set (GitHub) cc2b06ca0a290be229ec488dee7f065eb88793eebdff5809591bff7291d6da7b 3 1
APT 37 Ariel Millahuel SOC Prime Threat Detection Marketplace a5976bfe7c4ff52e5b70711a7444670a4f2d462e99bd30d3c6950495e32018ac 2 0
Active Directory Database Snapshot Via ADExplorer Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 43d5cafc2ab99baaf01e5514d320d214797cff1d52b8ad3336702522499ae5c4 2 0
AppX Package Installation Attempts Via AppInstaller.EXE frack113 Sigma Integrated Rule Set (GitHub) 8c20386ca2239562a26b808135071390e3abe7434cb251781a4656b1b4cf71e6 2 0
Arbitrary File Download Via MSPUB.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a70e1836669aefe4c5a9b48179c7a3c4857505b87dbf8a3bb424d268fa80d857 2 0
Arbitrary File Download Via PresentationHost.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) ffb4d3b820e87f926948fb36dd6a790bd67e547ee318bb322626148b736139f7 2 0
Chromium Browser Headless Execution To Mockbin Like Site X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) ab437fcb52c9fd0fc5d12b825d9c41f440bcebce6d6e68bf64b3c0fa8bfcb27f 2 0
Code Executed Via Office Add-in XLL File frack113 Sigma Integrated Rule Set (GitHub) 166571671ff0b50e7d6b641f7490790a2762897cb0cbbe9e2d489edb3d71010e 2 0
CodeIntegrity - Unmet Signing Level Requirements By File Under Validation Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 02c7efd9db64dc8e5d5e82d3bba880a3b1ab9e0fec19e15c668b9a63e1d58fb1 2 0
DNS Query To Visual Studio Code Tunnels Domain citron_ninja Sigma Integrated Rule Set (GitHub) ef7875627109402da8f45dc9d58e5fa63734724bd100987579c6d36e1cb777ae 2 0
ETW Logging Disabled In .NET Processes - Sysmon Registry Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) Sigma Integrated Rule Set (GitHub) 35fa58d3974ddf4be72ca9c5273ff5dfde7de065d8b27e4baef1189a9c10014d 2 0
Enable LM Hash Storage - ProcCreation Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 8c9b1d4e376bf1355fb498b17e20c342a11d72a3a856570a9b876c049aa9da6b 2 0
Excel Proxy Executing Regsvr32 With Payload Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) Sigma Integrated Rule Set (GitHub) 368433c7157e0778f035c6c8b5a6cd0f273d860606bfa36f632144c7050b4c7d 2 0
Excel Proxy Executing Regsvr32 With Payload Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) Sigma Integrated Rule Set (GitHub) 769fe648255c0a237ee125f74d2685b54cf7799f6b5cffeae1f2fee47164091c 2 0
Executables Started in Suspicious Folder Florian Roth Sigma Integrated Rule Set (GitHub) 934747e347848f3bf5d2222f0c29c4c6e42831b94a6e0ce77ff40017e5f11fd2 2 0
Execute Scriptlet Via Regsvr32 Joe Security Joe Security Rule Set (GitHub) 568224310775bb02fb9ae53d55d8f7c8bc1daf93e73db7670b15f8b6f421f00d 2 0
Execution via stordiag.exe Austin Songer (@austinsonger) Sigma Integrated Rule Set (GitHub) c012b058c607c697ab3013783a9a418dd2b233fa1f22ea4f8160238a19c65577 2 2
Findstr GPP Passwords frack113 Sigma Integrated Rule Set (GitHub) 6403688c88307224c6c37547c26a3634868d77d08502d77529f03daacc410a51 2 2
HackTool - CrackMapExec Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 3b089e7f895f7da0d05f361a5815b3fb843bf243e11174993b9d167b40cdd5ba 2 0
Hidden Tear Ransomware Ariel Millahuel SOC Prime Threat Detection Marketplace e2c2e16d85599543e91b4dc9d25bd09e1b1ba61cafa1810a31073a40c91da39e 2 2
LockerGoga Ransomware Activity Vasiliy Burov, oscd.community Sigma Integrated Rule Set (GitHub) 0c0ba5aebd0db3facb25385b2dbdc2b2a34be391da1993bc8a02c689608fba16 2 0
Microsoft IIS Connecti